archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/base/fs/efs/create.c

1311 lines
42 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1996 Microsoft Corporation
  5. Module Name:
  7. create.c
  9. Abstract:
  11. This module will handle the IRP_MJ_CREATE (and all associated support
  12. routines) requests.
  14. Author:
  16. Robert Gu (robertg) 29-Oct-1996
  17. Environment:
  19. Kernel Mode Only
  21. Revision History:
  23. --*/
  25. #include "efs.h"
  26. #include "efsrtl.h"
  27. #include "efsext.h"
  30. #ifdef ALLOC_PRAGMA
  31. //
  32. // cannot make this code paged because of calls to
  33. // virtual memory functions.
  34. //
  35. //#pragma alloc_text(PAGE, EFSFilePostCreate)
  36. //#pragma alloc_text(PAGE, EFSPostCreate)
  37. //
  38. #endif
  41. NTSTATUS
  42. EFSFilePostCreate(
  43. IN PDEVICE_OBJECT VolDo,
  44. IN PIRP Irp,
  45. IN PFILE_OBJECT FileObject,
  46. IN NTSTATUS Status,
  47. IN OUT PVOID *PCreateContext
  48. )
  49. {
  50. PEFS_CONTEXT pEfsContext;
  51. KIRQL savedIrql;
  52. NTSTATUS EfsStatus = STATUS_SUCCESS;
  55. PAGED_CODE();
  57. if (!PCreateContext) {
  58. return Status;
  59. }
  61. pEfsContext = *PCreateContext;
  63. if (( NT_SUCCESS( Status ) && (Status != STATUS_PENDING) && (Status != STATUS_REPARSE))
  64. && pEfsContext){
  66. if ( NO_FURTHER_PROCESSING != pEfsContext->Status ){
  68. PIO_STACK_LOCATION irpSp;
  70. irpSp = IoGetCurrentIrpStackLocation( Irp );
  73. #if DBG
  74. if ( (EFSTRACEALL | EFSTRACELIGHT ) & EFSDebug ){
  76. DbgPrint( " EFSFILTER: Begin post create. \n" );
  78. }
  79. #endif
  81. if ((pEfsContext->EfsStreamData) &&
  82. (EFS_STREAM_TRANSITION == ((PEFS_STREAM)(pEfsContext->EfsStreamData))->Status)) {
  84. PSID SystemSid;
  85. SID_IDENTIFIER_AUTHORITY IdentifierAuthority = SECURITY_NT_AUTHORITY;
  87. //
  88. // $EFS indicates transition state.
  89. // Only the system can open it
  90. //
  92. SystemSid = ExAllocatePoolWithTag(
  93. PagedPool,
  94. RtlLengthRequiredSid(1),
  95. 'msfE'
  96. );
  98. if ( SystemSid ){
  100. EfsStatus = RtlInitializeSid( SystemSid, &IdentifierAuthority, (UCHAR) 1 );
  102. if ( NT_SUCCESS(EfsStatus) ){
  104. PACCESS_TOKEN accessToken = NULL;
  105. PTOKEN_USER UserId = NULL;
  107. *(RtlSubAuthoritySid(SystemSid, 0 )) = SECURITY_LOCAL_SYSTEM_RID;
  109. //
  110. // We got the system SID. Now try to get the caller's SID.
  111. //
  113. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken;
  114. if(!accessToken) {
  115. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken;
  116. }
  117. if ( accessToken ){
  119. //
  120. // Get User ID
  121. //
  123. EfsStatus = SeQueryInformationToken(
  124. accessToken,
  125. TokenUser,
  126. &UserId
  127. );
  129. if ( NT_SUCCESS(EfsStatus) ){
  131. //
  132. // Got the user SID
  133. //
  135. if ( !RtlEqualSid ( SystemSid, UserId->User.Sid) ) {
  137. EfsStatus = STATUS_ACCESS_DENIED;
  139. }
  140. }
  142. ExFreePool( UserId );
  144. } else {
  145. //
  146. // Cannot get the user token
  147. //
  149. EfsStatus = STATUS_ACCESS_DENIED;
  151. }
  153. }
  155. ExFreePool( SystemSid );
  157. } else {
  159. EfsStatus = STATUS_INSUFFICIENT_RESOURCES;
  161. }
  163. } else {
  164. //
  165. // $EFS in normal status
  166. // Set Key Blob and/or write $EFS
  167. //
  168. // Legacy problem, The fourth parameter of EfsPostCreate (OpenType)
  169. // was used to indicate a recovery open. The design was changed. Now
  170. // this parameter is not used. It is not worth to take out the parameter
  171. // now. This will need to change several modules, EFS.SYS, KSECDD.SYS
  172. // SEcur32.lib and LSASRV.DLL. We might just leave it as reserved for future use.
  173. // To speed up a little bit, pass in 0.
  174. //
  176. EfsStatus = EFSPostCreate(
  177. VolDo,
  178. Irp,
  179. pEfsContext,
  180. 0
  181. );
  183. }
  184. }
  186. }
  188. if (pEfsContext){
  190. //
  191. // Release memory if necessary
  192. //
  194. *PCreateContext = NULL;
  195. if ( pEfsContext->EfsStreamData ) {
  197. ExFreePool(pEfsContext->EfsStreamData);
  198. pEfsContext->EfsStreamData = NULL;
  200. }
  202. ExFreeToNPagedLookasideList(&(EfsData.EfsContextPool), pEfsContext );
  203. }
  205. if (!NT_SUCCESS(EfsStatus)) {
  206. return EfsStatus;
  207. }
  209. return Status; // If EFS operation succeeded, just return the original status code.
  211. }
  215. NTSTATUS
  216. EFSPostCreate(
  217. IN PDEVICE_OBJECT DeviceObject,
  218. IN PIRP Irp,
  219. IN PEFS_CONTEXT EfsContext,
  220. IN ULONG OpenType
  221. )
  223. /*++
  225. Routine Description:
  227. This function calls the EFS server to get FEK, $EFS, set Key Blob and or write $EFS.
  229. We could not use user's space to talk to LSA so we need to attach to LSA to allocate
  231. memory in LSA space. We could cause APC dead lock if we call LSA while attached to LSA.
  233. We need to detach before calling LSA and reattach to get data back from LSA.
  235. Arguments:
  237. DeviceObject - Pointer to the target device object.
  239. Irp - Pointer to the I/O Request Packet that represents the operation.
  241. EfsContext - A context block associated with the file object.
  243. OpenType - File create(open) option
  245. IrpContext - NTFS internal data
  247. FileHdl - NTFS internal data
  249. AttributeHandle - NTFS internal data
  252. --*/
  253. {
  254. PEFS_KEY fek = NULL;
  255. PEFS_DATA_STREAM_HEADER efsStream = NULL;
  256. PVOID currentEfsStream = NULL;
  257. NTSTATUS status = STATUS_SUCCESS;
  258. PIO_STACK_LOCATION irpSp = IoGetCurrentIrpStackLocation( Irp );
  259. PVOID bufferBase = NULL;
  260. ULONG currentEfsStreamLength = 0;
  261. ULONG bufferLength;
  262. SIZE_T regionSize = 0;
  263. PACCESS_TOKEN accessToken = NULL;
  264. PTOKEN_USER UserId = NULL;
  265. GUID *EfsId = NULL;
  266. HANDLE CrntProcess = NULL;
  267. BOOLEAN ProcessAttached = FALSE;
  268. BOOLEAN ProcessNeedAttach = FALSE;
  269. SECURITY_IMPERSONATION_LEVEL ImpersonationLevel = SecurityImpersonation;
  270. KAPC_STATE ApcState;
  271. /*
  272. PIO_SECURITY_CONTEXT sContext;
  273. sContext = irpSp->Parameters.Create.SecurityContext;
  274. DbgPrint( "\n PostCreate: Desired Access %x\n", sContext->DesiredAccess );
  275. DbgPrint( "\n PostCreate: Orginal Desired Access %x\n", sContext->AccessState->OriginalDesiredAccess );
  276. DbgPrint( "\n PostCreate: PrevGrant Access %x\n", sContext->AccessState->PreviouslyGrantedAccess );
  277. DbgPrint( "\n PostCreate: Remaining Desired Access %x\n", sContext->AccessState->RemainingDesiredAccess );
  278. */
  279. //
  280. // Check if we can use the cache to verify the open
  281. //
  283. if ( !(EfsContext->Status & NO_OPEN_CACHE_CHECK) ){
  285. if ( irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken ){
  286. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken;
  287. ImpersonationLevel = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel;
  288. } else {
  289. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken;
  290. }
  292. if ( accessToken ){
  294. //
  295. // Get User ID
  296. //
  298. status = SeQueryInformationToken(
  299. accessToken,
  300. TokenUser,
  301. &UserId
  302. );
  304. if ( NT_SUCCESS(status) ){
  306. if ( EfsFindInCache(
  307. &((( PEFS_DATA_STREAM_HEADER ) EfsContext->EfsStreamData)->EfsId),
  308. UserId
  309. )) {
  311. ExFreePool( UserId );
  312. #if DBG
  313. if ( (EFSTRACEALL ) & EFSDebug ){
  314. DbgPrint( " EFS:Open with cache. \n" );
  315. }
  316. #endif
  317. return ( STATUS_SUCCESS );
  318. }
  319. }
  321. //
  322. // UserId will be freed later
  323. //
  325. }
  327. //
  328. // Check cache failure should not block the normal operations
  329. //
  331. status = STATUS_SUCCESS;
  332. }
  334. //
  335. // Clear the cache bit
  336. //
  338. EfsContext->Status &= ~NO_OPEN_CACHE_CHECK;
  340. //
  341. // Check if it is ACCESS_ATTRIBUTE ONLY
  342. //
  344. if ( !( irpSp->Parameters.Create.SecurityContext->AccessState->PreviouslyGrantedAccess &
  345. ( FILE_APPEND_DATA | FILE_READ_DATA | FILE_WRITE_DATA | FILE_EXECUTE )) &&
  346. ( EfsContext->Status & TURN_ON_ENCRYPTION_BIT ) &&
  347. ( !(EfsContext->Status & (NEW_FILE_EFS_REQUIRED | NEW_DIR_EFS_REQUIRED)))){
  349. //
  350. // A new stream is to be created without data access required. We might not
  351. // have the keys to decrypt the $EFS. We just need to turn on the bit here.
  352. // Changed the real action required.
  353. // Free the memory not required by this action.
  354. //
  355. #if DBG
  356. if ( (EFSTRACEALL ) & EFSDebug ){
  357. DbgPrint( " EFS:Open accessing attr only. \n" );
  358. }
  359. #endif
  361. if (EfsContext->EfsStreamData){
  362. ExFreePool(EfsContext->EfsStreamData);
  363. EfsContext->EfsStreamData = NULL;
  364. }
  365. EfsContext->Status = TURN_ON_ENCRYPTION_BIT | TURN_ON_BIT_ONLY ;
  367. } else if ( !(EfsContext->Status & TURN_ON_BIT_ONLY) ) {
  369. if (accessToken == NULL){
  370. if ( irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken ){
  371. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken;
  372. ImpersonationLevel = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ImpersonationLevel;
  373. } else {
  374. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken;
  375. }
  377. //
  378. // Get User ID
  379. //
  381. status = SeQueryInformationToken(
  382. accessToken,
  383. TokenUser,
  384. &UserId
  385. );
  387. if (!NT_SUCCESS(status)) {
  389. //
  390. // Do not refresh the cache
  391. //
  393. UserId = NULL;
  394. status = STATUS_SUCCESS;
  395. }
  397. }
  399. //
  400. // Allocate virtual memory.
  401. // Move the $EFS to virtual memory, LPC requires this.
  402. //
  404. if ( PsGetCurrentProcess() != EfsData.LsaProcess ){
  406. ProcessNeedAttach = TRUE;
  408. status = ObReferenceObjectByPointer(
  409. EfsData.LsaProcess,
  410. 0,
  411. NULL,
  412. KernelMode);
  414. if ( NT_SUCCESS(status) ) {
  415. KeStackAttachProcess (
  416. EfsData.LsaProcess,
  417. &ApcState
  418. );
  419. ProcessAttached = TRUE;
  420. }
  422. }
  424. CrntProcess = NtCurrentProcess();
  426. if ( NT_SUCCESS(status) ) {
  427. if (EfsContext->EfsStreamData){
  428. regionSize = currentEfsStreamLength = * (ULONG*)(EfsContext->EfsStreamData);
  430. status = ZwAllocateVirtualMemory(
  431. CrntProcess,
  432. (PVOID *) &currentEfsStream,
  433. 0,
  434. &regionSize,
  435. MEM_COMMIT,
  436. PAGE_READWRITE
  437. );
  438. }
  439. }
  440. }
  442. if ( NT_SUCCESS(status) ){
  444. BOOLEAN OldCopyOnOpen;
  445. BOOLEAN OldEffectiveOnly;
  446. SECURITY_IMPERSONATION_LEVEL OldImpersonationLevel;
  447. PACCESS_TOKEN OldClientToken;
  450. OldClientToken = PsReferenceImpersonationToken(
  451. PsGetCurrentThread(),
  452. &OldCopyOnOpen,
  453. &OldEffectiveOnly,
  454. &OldImpersonationLevel
  455. );
  457. if ( EfsContext->Status != (TURN_ON_ENCRYPTION_BIT | TURN_ON_BIT_ONLY) &&
  458. ( NULL != currentEfsStream) ){
  460. RtlCopyMemory(
  461. currentEfsStream,
  462. EfsContext->EfsStreamData,
  463. currentEfsStreamLength
  464. );
  466. //
  467. // Free the memory first to increase chance of getting new memory
  468. //
  470. ExFreePool(EfsContext->EfsStreamData);
  471. EfsContext->EfsStreamData = NULL;
  472. }
  474. //
  475. // Detach process before calling user mode
  476. //
  478. if (ProcessAttached){
  479. KeUnstackDetachProcess(&ApcState);
  480. ProcessAttached = FALSE;
  481. }
  483. switch ( EfsContext->Status & ACTION_REQUIRED){
  484. case VERIFY_USER_REQUIRED:
  486. status = PsImpersonateClient(
  487. PsGetCurrentThread(),
  488. accessToken,
  489. TRUE,
  490. TRUE,
  491. ImpersonationLevel
  492. );
  494. //
  495. // Call service to verify the user
  496. //
  498. if (NT_SUCCESS(status)) {
  499. status = EfsDecryptFek(
  500. &fek,
  501. (PEFS_DATA_STREAM_HEADER) currentEfsStream,
  502. currentEfsStreamLength,
  503. OpenType,
  504. &efsStream,
  505. &bufferBase,
  506. &bufferLength
  507. );
  509. if ( OldClientToken ) {
  510. PsImpersonateClient(
  511. PsGetCurrentThread(),
  512. OldClientToken,
  513. OldCopyOnOpen,
  514. OldEffectiveOnly,
  515. OldImpersonationLevel
  516. );
  517. PsDereferenceImpersonationToken(OldClientToken);
  518. } else {
  519. PsRevertToSelf( );
  520. }
  521. } else {
  523. //
  524. // Impersonation failed
  525. //
  527. if ( OldClientToken ) {
  528. PsDereferenceImpersonationToken(OldClientToken);
  529. }
  532. }
  534. break;
  536. case NEW_FILE_EFS_REQUIRED:
  537. //
  538. // Call service to get new FEK, $EFS
  539. //
  541. if (EfsContext->Flags & SYSTEM_IS_READONLY) {
  542. ASSERT(FALSE);
  543. status = STATUS_MEDIA_WRITE_PROTECTED;
  544. if ( OldClientToken ) {
  545. PsDereferenceImpersonationToken(OldClientToken);
  546. }
  547. break;
  548. }
  550. status = PsImpersonateClient(
  551. PsGetCurrentThread(),
  552. accessToken,
  553. TRUE,
  554. TRUE,
  555. ImpersonationLevel
  556. );
  559. if (NT_SUCCESS(status)) {
  561. status = EfsGenerateKey(
  562. &fek,
  563. &efsStream,
  564. (PEFS_DATA_STREAM_HEADER) currentEfsStream,
  565. currentEfsStreamLength,
  566. &bufferBase,
  567. &bufferLength
  568. );
  570. if ( OldClientToken ) {
  571. PsImpersonateClient(
  572. PsGetCurrentThread(),
  573. OldClientToken,
  574. OldCopyOnOpen,
  575. OldEffectiveOnly,
  576. OldImpersonationLevel
  577. );
  578. PsDereferenceImpersonationToken(OldClientToken);
  579. } else {
  580. PsRevertToSelf( );
  581. }
  583. } else {
  585. //
  586. // Impersonation failed
  587. //
  589. if ( OldClientToken ) {
  590. PsDereferenceImpersonationToken(OldClientToken);
  591. }
  593. }
  594. break;
  596. case NEW_DIR_EFS_REQUIRED:
  597. //
  598. // Call service to get new $EFS
  599. //
  601. if (EfsContext->Flags & SYSTEM_IS_READONLY) {
  602. ASSERT(FALSE);
  603. status = STATUS_MEDIA_WRITE_PROTECTED;
  604. if ( OldClientToken ) {
  605. PsDereferenceImpersonationToken(OldClientToken);
  606. }
  607. break;
  608. }
  610. status = PsImpersonateClient(
  611. PsGetCurrentThread(),
  612. accessToken,
  613. TRUE,
  614. TRUE,
  615. ImpersonationLevel
  616. );
  618. if (NT_SUCCESS(status)) {
  619. status = GenerateDirEfs(
  620. (PEFS_DATA_STREAM_HEADER) currentEfsStream,
  621. currentEfsStreamLength,
  622. &efsStream,
  623. &bufferBase,
  624. &bufferLength
  625. );
  627. if ( OldClientToken ) {
  628. PsImpersonateClient(
  629. PsGetCurrentThread(),
  630. OldClientToken,
  631. OldCopyOnOpen,
  632. OldEffectiveOnly,
  633. OldImpersonationLevel
  634. );
  635. PsDereferenceImpersonationToken(OldClientToken);
  636. } else {
  637. PsRevertToSelf( );
  638. }
  639. } else {
  641. //
  642. // Impersonation failed
  643. //
  645. if ( OldClientToken ) {
  646. PsDereferenceImpersonationToken(OldClientToken);
  647. }
  649. }
  650. break;
  652. case TURN_ON_BIT_ONLY:
  653. //
  654. // Fall through intended
  655. //
  657. default:
  659. if ( OldClientToken ) {
  660. PsDereferenceImpersonationToken(OldClientToken);
  661. }
  663. break;
  664. }
  667. if ( ProcessNeedAttach ){
  669. KeStackAttachProcess (
  670. EfsData.LsaProcess,
  671. &ApcState
  672. );
  673. ProcessAttached = TRUE;
  675. }
  677. if (fek && (fek->Algorithm == CALG_3DES) && !EfsData.FipsFunctionTable.Fips3Des3Key ) {
  679. //
  680. // User requested 3des but fips is not available, quit.
  681. //
  684. if (bufferBase){
  686. SIZE_T bufferSize;
  688. bufferSize = bufferLength;
  689. ZwFreeVirtualMemory(
  690. CrntProcess,
  691. &bufferBase,
  692. &bufferSize,
  693. MEM_RELEASE
  694. );
  696. }
  697. status = STATUS_ACCESS_DENIED;
  698. }
  700. if ( NT_SUCCESS(status) ){
  702. KEVENT event;
  703. IO_STATUS_BLOCK ioStatus;
  704. PIRP fsCtlIrp;
  705. PIO_STACK_LOCATION fsCtlIrpSp;
  706. ULONG inputDataLength;
  707. ULONG actionType;
  708. ULONG usingCurrentEfs;
  709. ULONG FsCode;
  710. PULONG pUlong;
  712. //
  713. // We got our FEK, $EFS. Set it with a FSCTL
  714. // Prepare the input data buffer first
  715. //
  717. switch ( EfsContext->Status & ACTION_REQUIRED ){
  718. case VERIFY_USER_REQUIRED:
  720. EfsId = ExAllocatePoolWithTag(
  721. PagedPool,
  722. sizeof (GUID),
  723. 'msfE'
  724. );
  726. if ( EfsId ){
  727. RtlCopyMemory(
  728. EfsId,
  729. &(((PEFS_DATA_STREAM_HEADER) currentEfsStream)->EfsId),
  730. sizeof( GUID ) );
  731. }
  733. //
  734. // Free memory first
  735. //
  736. ZwFreeVirtualMemory(
  737. CrntProcess,
  738. &currentEfsStream,
  739. &regionSize,
  740. MEM_RELEASE
  741. );
  743. //
  744. // Prepare input data buffer
  745. //
  747. inputDataLength = EFS_FSCTL_HEADER_LENGTH + 2 * EFS_KEY_SIZE( fek );
  749. actionType = SET_EFS_KEYBLOB;
  751. if ( efsStream && !(EfsContext->Flags & SYSTEM_IS_READONLY)){
  752. //
  753. // $EFS updated
  754. //
  756. inputDataLength += *(ULONG *)efsStream;
  757. actionType |= WRITE_EFS_ATTRIBUTE;
  758. }
  760. currentEfsStream = ExAllocatePoolWithTag(
  761. PagedPool,
  762. inputDataLength,
  763. 'msfE'
  764. );
  766. //
  767. // Deal with out of memory here
  768. //
  769. if ( NULL == currentEfsStream ){
  771. //
  772. // Out of memory
  773. //
  775. status = STATUS_INSUFFICIENT_RESOURCES;
  776. break;
  778. }
  780. pUlong = (ULONG *) currentEfsStream;
  781. *pUlong = ((PFSCTL_INPUT)currentEfsStream)->CipherSubCode
  782. = actionType;
  784. ((PFSCTL_INPUT)currentEfsStream)->EfsFsCode = EFS_SET_ATTRIBUTE;
  786. RtlCopyMemory(
  787. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH,
  788. fek,
  789. EFS_KEY_SIZE( fek )
  790. );
  792. RtlCopyMemory(
  793. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH
  794. + EFS_KEY_SIZE( fek ),
  795. fek,
  796. EFS_KEY_SIZE( fek )
  797. );
  799. if ( efsStream && !(EfsContext->Flags & SYSTEM_IS_READONLY)){
  801. RtlCopyMemory(
  802. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH
  803. + 2 * EFS_KEY_SIZE( fek ),
  804. efsStream,
  805. *(ULONG *)efsStream
  806. );
  808. }
  810. //
  811. // Encrypt our Input data
  812. //
  813. EfsEncryptKeyFsData(
  814. currentEfsStream,
  815. inputDataLength,
  816. sizeof(ULONG),
  817. EFS_FSCTL_HEADER_LENGTH + EFS_KEY_SIZE( fek ),
  818. EFS_KEY_SIZE( fek )
  819. );
  821. //
  822. // Let's clear the plain FEK
  823. //
  825. RtlSecureZeroMemory(EFS_KEY_DATA(fek), fek->KeyLength);
  827. break;
  829. case NEW_FILE_EFS_REQUIRED:
  831. EfsId = ExAllocatePoolWithTag(
  832. PagedPool,
  833. sizeof (GUID),
  834. 'msfE'
  835. );
  837. if ( EfsId ){
  838. RtlCopyMemory(
  839. EfsId,
  840. &(efsStream->EfsId),
  841. sizeof( GUID ) );
  842. }
  844. //
  845. // Free memory first
  846. //
  848. if ( currentEfsStream ){
  849. ZwFreeVirtualMemory(
  850. CrntProcess,
  851. &currentEfsStream,
  852. &regionSize,
  853. MEM_RELEASE
  854. );
  855. }
  857. //
  858. // Prepare input data buffer
  859. //
  861. inputDataLength = EFS_FSCTL_HEADER_LENGTH
  862. + 2 * EFS_KEY_SIZE( fek )
  863. + *(ULONG *)efsStream;
  865. currentEfsStream = ExAllocatePoolWithTag(
  866. PagedPool,
  867. inputDataLength,
  868. 'msfE'
  869. );
  871. //
  872. // Deal with out of memory here
  873. //
  874. if ( NULL == currentEfsStream ){
  876. status = STATUS_INSUFFICIENT_RESOURCES;
  877. break;
  879. }
  881. pUlong = (ULONG *) currentEfsStream;
  882. *pUlong = ((PFSCTL_INPUT)currentEfsStream)->CipherSubCode
  883. = WRITE_EFS_ATTRIBUTE | SET_EFS_KEYBLOB;
  885. ((PFSCTL_INPUT)currentEfsStream)->EfsFsCode = EFS_SET_ATTRIBUTE;
  887. RtlCopyMemory(
  888. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH,
  889. fek,
  890. EFS_KEY_SIZE( fek )
  891. );
  893. RtlCopyMemory(
  894. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH
  895. + EFS_KEY_SIZE( fek ),
  896. fek,
  897. EFS_KEY_SIZE( fek )
  898. );
  900. RtlCopyMemory(
  901. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH
  902. + 2 * EFS_KEY_SIZE( fek ) ,
  903. efsStream,
  904. *(ULONG *)efsStream
  905. );
  907. //
  908. // Encrypt our Input data
  909. //
  910. EfsEncryptKeyFsData(
  911. currentEfsStream,
  912. inputDataLength,
  913. sizeof(ULONG),
  914. EFS_FSCTL_HEADER_LENGTH + EFS_KEY_SIZE( fek ),
  915. EFS_KEY_SIZE( fek )
  916. );
  918. //
  919. // Let's clear the plain FEK
  920. //
  922. RtlSecureZeroMemory(EFS_KEY_DATA(fek), fek->KeyLength);
  924. break;
  926. case NEW_DIR_EFS_REQUIRED:
  927. //
  928. // Prepare input data buffer
  929. //
  931. inputDataLength = EFS_FSCTL_HEADER_LENGTH
  932. + 2 * ( sizeof( EFS_KEY ) + DES_KEYSIZE );
  934. if ( NULL == efsStream ){
  936. //
  937. // New directory will inherit the parent $EFS
  938. //
  940. usingCurrentEfs = TRUE;
  941. inputDataLength += currentEfsStreamLength;
  942. efsStream = currentEfsStream;
  944. } else {
  946. //
  947. // New $EFS generated. Not in ver 1.0
  948. //
  950. usingCurrentEfs = FALSE;
  951. inputDataLength += *(ULONG *)efsStream;
  953. //
  954. // Free memory first
  955. //
  957. if (currentEfsStream){
  958. ZwFreeVirtualMemory(
  959. CrntProcess,
  960. &currentEfsStream,
  961. &regionSize,
  962. MEM_RELEASE
  963. );
  964. }
  966. }
  968. currentEfsStream = ExAllocatePoolWithTag(
  969. PagedPool,
  970. inputDataLength,
  971. 'msfE'
  972. );
  974. //
  975. // Deal with out of memory here
  976. //
  977. if ( NULL == currentEfsStream ){
  979. status = STATUS_INSUFFICIENT_RESOURCES;
  980. break;
  982. }
  984. pUlong = (ULONG *) currentEfsStream;
  985. *pUlong = ((PFSCTL_INPUT)currentEfsStream)->CipherSubCode
  986. = WRITE_EFS_ATTRIBUTE;
  988. ((PFSCTL_INPUT)currentEfsStream)->EfsFsCode = EFS_SET_ATTRIBUTE;
  990. //
  991. // Make up an false FEK with session key
  992. //
  994. ((PEFS_KEY)&(((PFSCTL_INPUT)currentEfsStream)->EfsFsData[0]))->KeyLength
  995. = DES_KEYSIZE;
  997. ((PEFS_KEY)&(((PFSCTL_INPUT)currentEfsStream)->EfsFsData[0]))->Algorithm
  998. = CALG_DES;
  1000. RtlCopyMemory(
  1001. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH + sizeof ( EFS_KEY ),
  1002. &(EfsData.SessionKey),
  1003. DES_KEYSIZE
  1004. );
  1006. RtlCopyMemory(
  1007. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH
  1008. + DES_KEYSIZE + sizeof ( EFS_KEY ) ,
  1009. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH,
  1010. DES_KEYSIZE + sizeof ( EFS_KEY )
  1011. );
  1013. RtlCopyMemory(
  1014. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH
  1015. + 2 * ( sizeof ( EFS_KEY ) + DES_KEYSIZE) ,
  1016. efsStream,
  1017. *(ULONG *)efsStream
  1018. );
  1020. if ( usingCurrentEfs && efsStream ) {
  1022. //
  1023. // Free memory
  1024. //
  1026. ZwFreeVirtualMemory(
  1027. CrntProcess,
  1028. &efsStream,
  1029. &regionSize,
  1030. MEM_RELEASE
  1031. );
  1033. }
  1035. //
  1036. // Encrypt our Input data
  1037. //
  1038. EfsEncryptKeyFsData(
  1039. currentEfsStream,
  1040. inputDataLength,
  1041. sizeof(ULONG),
  1042. EFS_FSCTL_HEADER_LENGTH + DES_KEYSIZE + sizeof ( EFS_KEY ),
  1043. DES_KEYSIZE + sizeof ( EFS_KEY )
  1044. );
  1046. break;
  1048. case TURN_ON_BIT_ONLY:
  1050. //
  1051. // Prepare input data buffer
  1052. //
  1054. inputDataLength = EFS_FSCTL_HEADER_LENGTH
  1055. + 2 * ( sizeof( EFS_KEY ) + DES_KEYSIZE );
  1057. currentEfsStream = ExAllocatePoolWithTag(
  1058. PagedPool,
  1059. inputDataLength,
  1060. 'msfE'
  1061. );
  1063. //
  1064. // Deal with out of memory here
  1065. //
  1066. if ( NULL == currentEfsStream ){
  1068. status = STATUS_INSUFFICIENT_RESOURCES;
  1069. break;
  1071. }
  1073. ((PFSCTL_INPUT)currentEfsStream)->CipherSubCode = 0;
  1074. ((PFSCTL_INPUT)currentEfsStream)->EfsFsCode = EFS_SET_ATTRIBUTE;
  1076. //
  1077. // Make up an false FEK with session key
  1078. //
  1080. ((PEFS_KEY)&(((PFSCTL_INPUT)currentEfsStream)->EfsFsData[0]))->KeyLength
  1081. = DES_KEYSIZE;
  1083. ((PEFS_KEY)&(((PFSCTL_INPUT)currentEfsStream)->EfsFsData[0]))->Algorithm
  1084. = CALG_DES;
  1086. RtlCopyMemory(
  1087. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH + sizeof ( EFS_KEY ),
  1088. &(EfsData.SessionKey),
  1089. DES_KEYSIZE
  1090. );
  1092. RtlCopyMemory(
  1093. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH
  1094. + DES_KEYSIZE + sizeof ( EFS_KEY ) ,
  1095. ((PUCHAR) currentEfsStream) + EFS_FSCTL_HEADER_LENGTH,
  1096. DES_KEYSIZE + sizeof ( EFS_KEY )
  1097. );
  1099. //
  1100. // Encrypt our Input data
  1101. //
  1102. EfsEncryptKeyFsData(
  1103. currentEfsStream,
  1104. inputDataLength,
  1105. sizeof(ULONG),
  1106. EFS_FSCTL_HEADER_LENGTH + DES_KEYSIZE + sizeof ( EFS_KEY ),
  1107. DES_KEYSIZE + sizeof ( EFS_KEY )
  1108. );
  1110. default:
  1111. break;
  1112. }
  1114. //
  1115. // Free the memory from the EFS server
  1116. //
  1118. if (bufferBase){
  1120. SIZE_T bufferSize;
  1122. bufferSize = bufferLength;
  1123. ZwFreeVirtualMemory(
  1124. CrntProcess,
  1125. &bufferBase,
  1126. &bufferSize,
  1127. MEM_RELEASE
  1128. );
  1130. }
  1132. if (ProcessAttached){
  1133. KeUnstackDetachProcess(&ApcState);
  1134. ObDereferenceObject(EfsData.LsaProcess);
  1135. ProcessAttached = FALSE;
  1136. }
  1138. if ( NT_SUCCESS(status) ){
  1141. //
  1142. // Prepare a FSCTL IRP
  1143. //
  1144. KeInitializeEvent( &event, SynchronizationEvent, FALSE);
  1146. if ( EfsContext->Status & TURN_ON_ENCRYPTION_BIT ) {
  1147. FsCode = FSCTL_SET_ENCRYPTION;
  1148. *(ULONG *) currentEfsStream = EFS_ENCRYPT_STREAM;
  1149. } else {
  1150. FsCode = FSCTL_ENCRYPTION_FSCTL_IO;
  1151. }
  1153. fsCtlIrp = IoBuildDeviceIoControlRequest( FsCode,
  1154. DeviceObject,
  1155. currentEfsStream,
  1156. inputDataLength,
  1157. NULL,
  1158. 0,
  1159. FALSE,
  1160. &event,
  1161. &ioStatus
  1162. );
  1163. if ( fsCtlIrp ) {
  1165. fsCtlIrpSp = IoGetNextIrpStackLocation( fsCtlIrp );
  1166. fsCtlIrpSp->MajorFunction = IRP_MJ_FILE_SYSTEM_CONTROL;
  1167. fsCtlIrpSp->MinorFunction = IRP_MN_USER_FS_REQUEST;
  1168. fsCtlIrpSp->FileObject = irpSp->FileObject;
  1170. status = IoCallDriver( DeviceObject, fsCtlIrp);
  1171. if (status == STATUS_PENDING) {
  1173. status = KeWaitForSingleObject( &event,
  1174. Executive,
  1175. KernelMode,
  1176. FALSE,
  1177. (PLARGE_INTEGER) NULL );
  1178. status = ioStatus.Status;
  1179. }
  1181. if ( !NT_SUCCESS(status) ){
  1182. //
  1183. // Write EFS and set Key Blob failed. Failed the create
  1184. //
  1186. status = STATUS_ACCESS_DENIED;
  1188. } else {
  1190. //
  1191. // Refresh the cache
  1192. //
  1194. if ( EfsId ){
  1195. if ( !accessToken ){
  1197. if ( irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken ){
  1198. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.ClientToken;
  1199. } else {
  1200. accessToken = irpSp->Parameters.Create.SecurityContext->AccessState->SubjectSecurityContext.PrimaryToken;
  1201. }
  1203. if ( accessToken ){
  1205. //
  1206. // Get User ID
  1207. //
  1209. status = SeQueryInformationToken(
  1210. accessToken,
  1211. TokenUser,
  1212. &UserId
  1213. );
  1214. }
  1215. }
  1217. if (UserId && NT_SUCCESS(status)){
  1219. status = EfsRefreshCache(
  1220. EfsId,
  1221. UserId
  1222. );
  1224. if (NT_SUCCESS(status)){
  1226. //
  1227. // Cache set successfully.
  1228. // UserId should not be deleted in this routine.
  1229. //
  1231. UserId = NULL;
  1232. }
  1233. }
  1235. //
  1236. // Cache should not affect the normal operations
  1237. //
  1239. status = STATUS_SUCCESS;
  1240. }
  1241. }
  1242. } else {
  1243. //
  1244. // Failed allocate IRP
  1245. //
  1247. status = STATUS_INSUFFICIENT_RESOURCES;
  1249. }
  1251. ExFreePool( currentEfsStream );
  1253. } else {
  1255. //
  1256. // Failed allocating memory for currentEfsStream
  1257. // Use the status returned.
  1258. //
  1260. }
  1261. } else {
  1262. //
  1263. // Failed on calling EFS server.
  1264. // Because of the down level support, we cannot return the new error status code.
  1265. //
  1267. status = STATUS_ACCESS_DENIED;
  1269. ZwFreeVirtualMemory(
  1270. CrntProcess,
  1271. &currentEfsStream,
  1272. &regionSize,
  1273. MEM_RELEASE
  1274. );
  1276. if (ProcessAttached){
  1277. KeUnstackDetachProcess(&ApcState);
  1278. ObDereferenceObject(EfsData.LsaProcess);
  1279. ProcessAttached = FALSE;
  1280. }
  1282. }
  1284. } else {
  1285. //
  1286. // Allocate virtual memory failed. Use the status returned.
  1287. //
  1289. if (ProcessAttached){
  1290. KeUnstackDetachProcess(&ApcState);
  1291. ObDereferenceObject(EfsData.LsaProcess);
  1292. ProcessAttached = FALSE;
  1293. }
  1295. }
  1297. if ( UserId ){
  1299. ExFreePool( UserId );
  1301. }
  1303. if ( EfsId ){
  1305. ExFreePool( EfsId );
  1307. }
  1309. return status;
  1311. }