archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/security/base/lsa/server/credapi.cxx

473 lines
13 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 1991 - 1992
  6. //
  7. // File: credapi.c
  8. //
  9. // Contents: Credential related APIs to the SPMgr
  10. // - LsaEstablishCreds
  11. // - LsaLogonUser
  12. // - LsaAcquireCredHandle
  13. // - LsaFreeCredHandle
  14. //
  15. //
  16. // History: 20 May 92 RichardW Commented existing code
  17. //
  18. //------------------------------------------------------------------------
  20. #include <lsapch.hxx>
  21. extern "C"
  22. {
  23. #include "adtp.h"
  24. #include "msaudite.h" // LsaAuditLogon
  25. }
  27. //+-------------------------------------------------------------------------
  28. //
  29. // Function: WLsaAcquireCredHandle
  30. //
  31. // Synopsis:
  32. //
  33. // Effects:
  34. //
  35. // Arguments:
  36. //
  37. // Requires:
  38. //
  39. // Returns:
  40. //
  41. // Notes:
  42. //
  43. //--------------------------------------------------------------------------
  45. NTSTATUS
  46. WLsaAcquireCredHandle( PSECURITY_STRING pPrincipal,
  47. PSECURITY_STRING pSecPackage,
  48. DWORD fCredentialUse,
  49. PLUID pLogonID,
  50. PVOID pvAuthData,
  51. PVOID pvGetKeyFn,
  52. PVOID pvGetKeyArgument,
  53. PCredHandle phCredential,
  54. PTimeStamp ptsExpiry)
  55. {
  56. PLSAP_SECURITY_PACKAGE pspPackage;
  57. NTSTATUS scRet;
  58. LUID CallerLogonID;
  59. PSession pSession = GetCurrentSession();
  60. SECPKG_CLIENT_INFO ClientInfo;
  61. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  63. //
  64. // Check if the caller is restricted
  65. //
  66. scRet = LsapGetClientInfo(&ClientInfo);
  67. if (!NT_SUCCESS(scRet))
  68. {
  69. DebugLog((DEB_ERROR,"Failed to get client info: 0x%x\n",scRet));
  70. return(scRet);
  71. }
  73. //
  74. // If the caller is restricted, fail the call for now. This should change
  75. // if packages are able to support restrictions. In that case, the call
  76. // should check the package capabilities for handling restrictions and
  77. // if it supports restrictions, allow the call to continue.
  78. //
  80. if (ClientInfo.Restricted)
  81. {
  82. DebugLog((DEB_WARN, "Trying to acquire credentials with a restrictred token\n"));
  83. scRet = SEC_E_NO_CREDENTIALS;
  84. return (scRet);
  85. }
  87. //
  88. // Todds - 08/02
  89. //
  90. // We used to disallow tokens with identification level or lower to
  91. // AcquireCredentialsHandle, thus prevent it from elevating to impersonation
  92. // level - but this check has been moved to the packages to allow some
  93. // s4uproxy scenarios to work w/o TCB.
  94. //
  97. #if DBG
  98. if (pPrincipal->Length)
  99. {
  100. DebugLog((DEB_TRACE_WAPI, "[%x] AcquireCredentialHandle(%ws, %ws)\n",
  101. pSession->dwProcessID, pPrincipal->Buffer, pSecPackage->Buffer));
  102. }
  103. else
  104. {
  105. DebugLog((DEB_TRACE_WAPI, "[%x] AcquireCredHandle(%x:%x, %ws)\n",
  106. pSession->dwProcessID, pLogonID->HighPart, pLogonID->LowPart,
  107. pSecPackage->Buffer));
  108. }
  109. #endif // DBG
  111. phCredential->dwUpper = 0;
  112. phCredential->dwLower = 0xFFFFFFFF;
  113. ptsExpiry->LowPart = 0;
  114. ptsExpiry->HighPart = 0;
  116. pspPackage = SpmpLookupPackageAndRequest(pSecPackage,
  117. SP_ORDINAL_ACQUIRECREDHANDLE);
  118. if (!pspPackage)
  119. {
  120. return(SEC_E_SECPKG_NOT_FOUND);
  121. }
  123. SetCurrentPackageId(pspPackage->dwPackageID);
  125. CallerLogonID = *pLogonID;
  127. StartCallToPackage( pspPackage );
  129. __try
  130. {
  131. scRet = pspPackage->FunctionTable.AcquireCredentialsHandle(pPrincipal,
  132. fCredentialUse,
  133. &CallerLogonID,
  134. pvAuthData,
  135. pvGetKeyFn,
  136. pvGetKeyArgument,
  137. &phCredential->dwUpper,
  138. ptsExpiry);
  139. }
  140. __except (SP_EXCEPTION)
  141. {
  142. scRet = GetExceptionCode();
  143. scRet = SPException(scRet, pspPackage->dwPackageID);
  144. }
  146. EndCallToPackage( pspPackage );
  148. if (FAILED(scRet))
  149. {
  150. DebugLog((DEB_WARN, "Failed to acquire cred handle for %ws with %ws\n",
  151. pPrincipal->Buffer, pSecPackage->Buffer));
  152. return(scRet);
  153. }
  155. phCredential->dwLower = pspPackage->dwPackageID;
  157. if(!AddCredHandle(pSession, phCredential, 0))
  158. {
  159. DebugLog(( DEB_ERROR, "Failed adding credential handle %p:%p to session %p\n",
  160. phCredential->dwUpper, phCredential->dwLower,
  161. pSession ));
  163. pspPackage = SpmpLookupPackageAndRequest(pSecPackage,
  164. SP_ORDINAL_FREECREDHANDLE);
  166. if( pspPackage )
  167. {
  168. ULONG OldCallCount = CallInfo->CallInfo.CallCount;
  170. CallInfo->CallInfo.CallCount = 1 ;
  173. //
  174. // remove the handle from the underlying package.
  175. //
  177. StartCallToPackage( pspPackage );
  179. __try
  180. {
  181. pspPackage->FunctionTable.FreeCredentialsHandle(
  182. phCredential->dwUpper
  183. );
  184. }
  185. __except (SP_EXCEPTION)
  186. {
  187. NOTHING;
  188. }
  190. EndCallToPackage( pspPackage );
  192. CallInfo->CallInfo.CallCount = OldCallCount;
  194. }
  196. phCredential->dwLower = 0;
  197. phCredential->dwUpper = 0;
  199. return SEC_E_INSUFFICIENT_MEMORY;
  200. }
  202. LsapLogCallInfo( CallInfo, pSession, *phCredential );
  204. return(scRet);
  205. }
  208. NTSTATUS
  209. WLsaAddCredentials(
  210. PCredHandle phCredential,
  211. PSECURITY_STRING pPrincipal,
  212. PSECURITY_STRING pSecPackage,
  213. DWORD fCredentialUse,
  214. PVOID pvAuthData,
  215. PVOID pvGetKeyFn,
  216. PVOID pvGetKeyArgument,
  217. PTimeStamp ptsExpiry)
  218. {
  219. PLSAP_SECURITY_PACKAGE pspPackage;
  220. NTSTATUS scRet;
  221. LUID CallerLogonID;
  222. PSession pSession = GetCurrentSession();
  223. SECPKG_CLIENT_INFO ClientInfo;
  224. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  225. PVOID CredKey ;
  227. //
  228. // Check if the caller is restricted
  229. //
  230. scRet = LsapGetClientInfo(&ClientInfo);
  231. if (!NT_SUCCESS(scRet))
  232. {
  233. DebugLog((DEB_ERROR,"Failed to get client info: 0x%x\n",scRet));
  234. return(scRet);
  235. }
  237. //
  238. // If the caller is restricted, fail the call for now. This should change
  239. // if packages are able to support restrictions. In that case, the call
  240. // should check the package capabilities for handling restrictions and
  241. // if it supports restrictions, allow the call to continue.
  242. //
  244. if (ClientInfo.Restricted)
  245. {
  246. DebugLog((DEB_WARN,"Trying to acquire credentials with a restrictred token\n"));
  247. scRet = SEC_E_NO_CREDENTIALS;
  248. return(scRet);
  249. }
  251. #if DBG
  252. if (pPrincipal->Length)
  253. {
  254. DebugLog((DEB_TRACE_WAPI, "[%x] AddCredentials(%ws, %ws)\n",
  255. pSession->dwProcessID, pPrincipal->Buffer, pSecPackage->Buffer));
  256. }
  257. else
  258. {
  259. DebugLog((DEB_TRACE_WAPI, "[%x] AddCredentials(%ws)\n",
  260. pSession->dwProcessID,
  261. pSecPackage->Buffer));
  262. }
  263. #endif // DBG
  265. ptsExpiry->LowPart = 0;
  266. ptsExpiry->HighPart = 0;
  268. LsapLogCallInfo( CallInfo, pSession, *phCredential );
  270. scRet = ValidateCredHandle(
  271. pSession,
  272. phCredential,
  273. &CredKey );
  275. if ( NT_SUCCESS( scRet ) )
  276. {
  277. pspPackage = SpmpValidRequest( phCredential->dwLower,
  278. SP_ORDINAL_ADDCREDENTIALS );
  279. }
  280. else
  281. {
  282. DsysAssert( (pSession->fSession & SESFLAG_KERNEL) == 0 );
  284. return( SEC_E_INVALID_HANDLE );
  285. }
  287. if (!pspPackage)
  288. {
  289. return(SEC_E_SECPKG_NOT_FOUND);
  290. }
  292. SetCurrentPackageId(pspPackage->dwPackageID);
  294. StartCallToPackage( pspPackage );
  296. __try
  297. {
  298. scRet = pspPackage->FunctionTable.AddCredentials(
  299. phCredential->dwUpper,
  300. pPrincipal,
  301. pSecPackage,
  302. fCredentialUse,
  303. pvAuthData,
  304. pvGetKeyFn,
  305. pvGetKeyArgument,
  306. ptsExpiry);
  307. }
  308. __except (SP_EXCEPTION)
  309. {
  310. scRet = GetExceptionCode();
  311. scRet = SPException(scRet, pspPackage->dwPackageID);
  312. }
  314. EndCallToPackage( pspPackage );
  316. if (FAILED(scRet))
  317. {
  318. DebugLog((DEB_WARN, "Failed to add credentials for %ws with %ws\n",
  319. pPrincipal->Buffer, pSecPackage->Buffer));
  320. return(scRet);
  321. }
  323. LsapLogCallInfo( CallInfo, pSession, *phCredential );
  325. return(scRet);
  326. }
  332. //+-------------------------------------------------------------------------
  333. //
  334. // Function: WLsaFreeCredHandle
  335. //
  336. // Synopsis: Worker function to free a cred handle,
  337. //
  338. // Effects: calls into a package to free the handle
  339. //
  340. // Arguments:
  341. //
  342. // Requires:
  343. //
  344. // Returns:
  345. //
  346. // Notes:
  347. //
  348. //--------------------------------------------------------------------------
  349. NTSTATUS
  350. WLsaFreeCredHandle( PCredHandle phCreds)
  351. {
  352. NTSTATUS scRet;
  353. PSession pSession = GetCurrentSession();
  354. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  355. PLSAP_SECURITY_PACKAGE pPackage;
  358. IsOkayToExec(0);
  360. DebugLog((DEB_TRACE_WAPI, "[%x] WLsaFreeCredHandle(%p : %p)\n",
  361. pSession->dwProcessID, phCreds->dwUpper, phCreds->dwLower));
  363. scRet = ValidateAndDerefCredHandle( pSession, phCreds );
  365. if ( !NT_SUCCESS( scRet ) )
  366. {
  367. if ( ( CallInfo->Flags & CALL_FLAG_NO_HANDLE_CHK ) == 0 )
  368. {
  369. DsysAssert( (pSession->fSession & SESFLAG_KERNEL) == 0 );
  370. }
  371. }
  373. LsapLogCallInfo( CallInfo, pSession, *phCreds );
  375. if (SUCCEEDED(scRet))
  376. {
  377. phCreds->dwUpper = phCreds->dwLower = 0xFFFFFFFF;
  378. }
  380. return(scRet);
  382. }
  385. //+-------------------------------------------------------------------------
  386. //
  387. // Function: WLsaQueryCredAttributes
  388. //
  389. // Synopsis: SPMgr worker to query credential attributes
  390. //
  391. // Effects:
  392. //
  393. // Arguments:
  394. //
  395. // Requires:
  396. //
  397. // Returns:
  398. //
  399. // Notes:
  400. //
  401. //
  402. //--------------------------------------------------------------------------
  404. NTSTATUS
  405. WLsaQueryCredAttributes(
  406. PCredHandle phCredentials,
  407. ULONG ulAttribute,
  408. PVOID pBuffer
  409. )
  410. {
  411. NTSTATUS scRet;
  412. PSession pSession = GetCurrentSession();
  413. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  414. PLSAP_SECURITY_PACKAGE pPackage;
  415. PVOID CredKey = NULL ;
  418. DebugLog((DEB_TRACE_WAPI, "[%x] WLsaQueryCredAttributes(%p : %p)\n",
  419. pSession->dwProcessID, phCredentials->dwUpper, phCredentials->dwLower));
  421. LsapLogCallInfo( CallInfo, pSession, *phCredentials );
  423. scRet = ValidateCredHandle(
  424. pSession,
  425. phCredentials,
  426. &CredKey );
  428. if ( !NT_SUCCESS( scRet ) )
  429. {
  430. DsysAssert( (pSession->fSession & SESFLAG_KERNEL) == 0 );
  432. return( scRet );
  433. }
  436. pPackage = SpmpValidRequest(phCredentials->dwLower,
  437. SP_ORDINAL_QUERYCREDATTR );
  439. if (pPackage)
  440. {
  442. SetCurrentPackageId(phCredentials->dwLower);
  444. StartCallToPackage( pPackage );
  446. __try
  447. {
  448. scRet = pPackage->FunctionTable.QueryCredentialsAttributes(
  449. phCredentials->dwUpper,
  450. ulAttribute,
  451. pBuffer
  452. );
  454. }
  455. __except (SP_EXCEPTION)
  456. {
  457. scRet = GetExceptionCode();
  458. scRet = SPException(scRet, phCredentials->dwLower);
  459. }
  461. EndCallToPackage( pPackage );
  462. }
  463. else
  464. {
  465. scRet = SEC_E_INVALID_HANDLE;
  466. }
  468. DerefCredHandle( pSession, NULL, CredKey );
  470. return(scRet);
  471. }