|
|
//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 1991 - 1992
//
// File: KLPCSTUB.CXX
//
// Contents: LPC Support for the KSEC device driver
// API Dispatcher
// (Un)Marshalling code
//
//
// Functions: GetClientString
// LpcAcquireCreds
// LpcInitContext
// LpcAcceptContext
//
// DispatchAPI
//
// History: 20 May 92 RichardW Created
// 11 Mar 94 MikeSw Renamed from klpc2.c
//
//------------------------------------------------------------------------
#include <lsapch.hxx>
extern "C"{#include "klpcstub.h"
#include <efsstruc.h>
#include "efssrv.hxx"
#include "sphelp.h"
}ULONG LsapPageSize ;LONG InternalMessageId ;PLSAP_API_LOG InternalApiLog ;//
// Maximum size of a string. This is the max size of
// a short, less the null terminator
//
#define LSAP_MAX_STRING_LENGTH (0xfffc)
//#define LSAP_CATCH_BAD_VM
static EfsSessionKeySent = FALSE;
extern "C" BOOLEAN EfsPersonalVer;
extern "C" BOOLEAN EfsDisabled;
//#define ProfilingEfs
#ifdef ProfilingEfs
WCHAR EfsProfileLogName[32] = {'A', 0};LONG LogFileIsBeingCreated = 0;HANDLE EfsProfileLogHandle = 0;#endif
#if DBG
char * SessionStatLabels[] = { "<Disconnect>", "<Connect>", "LsaLookupPackage", "LsaLogonUser", "LsaCallPackage", "LsaDeregisterLogonProcess", "<empty>", "(I) GetBinding", "(I) SetSession", "(I) FindPackage", "EnumeratePackages", "AcquireCredentialHandle", "EstablishCredentials", "FreeCredentialHandle", "InitializeSecurityContext", "AcceptSecurityContext", "ApplyControlToken", "DeleteSecurityContext", "QueryPackage", "GetUserInfo", "GetCredentials", "SaveCredentials", "DeleteCredentials", "QueryCredAttributes", "AddPackage", "DeletePackage", "GenerateKey", "GenerateDirEfs", "DecryptFek", "GenerateSessionKey", "Callback", "QueryContextAttributes", "PolicyChangeNotify", "GetUserName", "AddCredentials", "EnumLogonSessions", "GetLogonSessionData", "SetContextAttribute", "LookupAccountName", "LookupAccountSid", "LookupWellKnownSid", "<empty>" };#define ApiLabel(x) (((x+2) < sizeof(SessionStatLabels) / sizeof(char *)) ? \
SessionStatLabels[(x+2)] : "[Illegal API Number!]")#endif
PLSA_DISPATCH_FN DllCallbackHandler ;//
// Function orders after LsapAuMaxApiNumber must match SPM_API and
// SPM_API_NUMBER defined in ..\h\spmlpc.h
//
PLSA_DISPATCH_FN LpcDispatchTable[ SPMAPI_MaxApiNumber ] ={ LpcLsaLookupPackage, LpcLsaLogonUser, LpcLsaCallPackage, LpcLsaDeregisterLogonProcess, NULL, // LsapAuMaxApiNumber
LpcGetBinding, LpcSetSession, LpcFindPackage, LpcEnumPackages, LpcAcquireCreds, LpcEstablishCreds, LpcFreeCredHandle, LpcInitContext, LpcAcceptContext, LpcApplyToken, LpcDeleteContext, LpcQueryPackage, LpcGetUserInfo, LpcGetCreds, LpcSaveCreds, LpcQueryCredAttributes, LpcAddPackage, LpcDeletePackage, LpcEfsGenerateKey, LpcEfsGenerateDirEfs, LpcEfsDecryptFek, LpcEfsGenerateSessionKey, LpcCallback, LpcQueryContextAttributes, LpcLsaPolicyChangeNotify, LpcGetUserName, LpcAddCredentials, LpcEnumLogonSessions, LpcGetLogonSessionData, LpcSetContextAttributes, LpcLookupAccountName, LpcLookupAccountSid, LpcLookupWellKnownSid};
NTSTATUSMapTokenBuffer( PSecBufferDesc pInput, BOOLEAN fDoClientCopy );
#define KLPC_FLAG_RESET (~(SPMAPI_FLAG_ERROR_RET | \
SPMAPI_FLAG_MEMORY | SPMAPI_FLAG_PREPACK | \ SPMAPI_FLAG_EXEC_NOW ) )
//+---------------------------------------------------------------------------
//
// Function: AbortLpcContext
//
// Synopsis: Aborts a security context if something goes wrong.
//
// Effects: Calls a DeleteContext() on the context.
//
// Arguments: [phContext] -- Context to abort
//
// History: 6-29-93 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
voidAbortLpcContext( PCtxtHandle phContext ){ NTSTATUS scRet; PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall();
CallInfo->Flags |= CALL_FLAG_NO_HANDLE_CHK ;
DebugLog((DEB_WARN, "[%x] Aborting context %p:%p\n", GetCurrentSession()->dwProcessID, phContext->dwUpper, phContext->dwLower));
scRet = WLsaDeleteContext( phContext );
if (FAILED(scRet)) { DebugLog((DEB_WARN, "[%x] DeleteContext failed (%x) on context %p:%p\n", GetCurrentSession()->dwProcessID, scRet, phContext->dwUpper, phContext->dwLower));
}
CallInfo->Flags &= (~(CALL_FLAG_NO_HANDLE_CHK));
}
//+-------------------------------------------------------------------------
//
// Function: GetClientString
//
// Synopsis: Get a string from client memory
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUSGetClientString( PUNICODE_STRING pssSource, PUNICODE_STRING pssDest, PSPM_LPC_MESSAGE pMessage, PUCHAR * Where ){ NTSTATUS scRet = S_OK; PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
*pssDest = *pssSource;
if ( pssDest->Length > LSAP_MAX_STRING_LENGTH ) { return STATUS_INVALID_PARAMETER ; }
if ( CallInfo->Flags & CALL_FLAG_KERNEL_POOL ) { if ((ULONG_PTR) pssSource->Buffer >= (ULONG_PTR) sizeof( SPM_LPC_MESSAGE ) ) { *pssDest = *pssSource ; if ( pssDest->Length < pssDest->MaximumLength ) { pssDest->Buffer[ pssDest->Length / sizeof( WCHAR )] = L'\0';
} return STATUS_SUCCESS ; } }
pssDest->Buffer = (LPWSTR) LsapAllocatePrivateHeap(pssDest->Length+sizeof(WCHAR)); if (pssDest->Buffer) { pssDest->MaximumLength = pssDest->Length + sizeof(WCHAR);
if (pssSource->Length != 0) { if ((ULONG_PTR) pssSource->Buffer >= (ULONG_PTR) sizeof( SPM_LPC_MESSAGE ) ) { scRet = LsapCopyFromClient( pssSource->Buffer, pssDest->Buffer, pssDest->Length); if (FAILED(scRet)) { LsapFreePrivateHeap(pssDest->Buffer); pssDest->Buffer = NULL; } } else { //
// Prepacked buffers -- make sure the specified lengths are valid.
// Note that the second check mixes pssSource and pssDest for the
// buffer and length. That's OK as pssDest->Length is the same as
// pssSource->Length at this point -- pssDest->Length is used to
// be consistent with the RtlCopyMemory call below.
//
if ((pssSource->Length > CBPREPACK) || ((ULONG_PTR) pssSource->Buffer + pssDest->Length > sizeof(SPM_LPC_MESSAGE))) { LsapFreePrivateHeap( pssDest->Buffer );
pssDest->Buffer = NULL ;
return STATUS_INVALID_PARAMETER ; }
*Where = (PUCHAR) (pMessage) + (ULONG_PTR) pssSource->Buffer ;
if (*Where == NULL) { *Where = pMessage->ApiMessage.bData; }
RtlCopyMemory( pssDest->Buffer, *Where, pssDest->Length);
*Where += pssDest->Length;
} }
return(scRet); } return(SEC_E_INSUFFICIENT_MEMORY);}
//+-------------------------------------------------------------------------
//
// Function: PutClientString
//
// Synopsis: Get a string from client memory
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUSPutClientString( PUNICODE_STRING pssSource, PUNICODE_STRING pssDest ){ NTSTATUS scRet;
pssDest->Length = pssSource->Length;
//
// If the destination buffer isn't allocated yet, allocate it.
//
if (!pssDest->Buffer) { pssDest->Buffer = (LPWSTR) LsapClientAllocate(pssDest->Length+sizeof(WCHAR)); pssDest->MaximumLength = pssDest->Length+sizeof(WCHAR); }
if (pssDest->Buffer) { scRet = LsapCopyToClient( pssSource->Buffer, pssDest->Buffer, pssDest->Length); if (FAILED(scRet)) { LsapClientFree(pssDest->Buffer); pssDest->Buffer = NULL; }
return(scRet); } return(SEC_E_INSUFFICIENT_MEMORY);}
//+-------------------------------------------------------------------------
//
// Function: MapTokenBuffer
//
// Synopsis: Maps the security token buffer into local memory
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSMapTokenBuffer( PSecBufferDesc pInput, BOOLEAN fDoClientCopy ){ ULONG i; NTSTATUS scRet = STATUS_SUCCESS; PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
//
// Mark all buffers as unmapped in case of failure
//
for (i = 0; i < pInput->cBuffers ; i++ ) { pInput->pBuffers[i].BufferType |= SECBUFFER_UNMAPPED; }
for (i = 0; i < pInput->cBuffers ; i++ ) {
//
// Always map the security token - it is assumed that this
// is always wanted by all packages
//
if ((pInput->pBuffers[i].BufferType & ~SECBUFFER_ATTRMASK) == SECBUFFER_TOKEN) { if (fDoClientCopy) { scRet = LsapMapClientBuffer( &pInput->pBuffers[i], &pInput->pBuffers[i] ); } else { pInput->pBuffers[i].pvBuffer = LsapAllocateLsaHeap(pInput->pBuffers[i].cbBuffer);
if (!pInput->pBuffers[i].pvBuffer) { scRet = SEC_E_INSUFFICIENT_MEMORY;
if (i > 0) { do { i--;
if ((pInput->pBuffers[i].BufferType & ~SECBUFFER_ATTRMASK) == SECBUFFER_TOKEN) { LsapFreeLsaHeap(pInput->pBuffers[i].pvBuffer); pInput->pBuffers[i].pvBuffer = NULL; pInput->pBuffers[i].BufferType |= SECBUFFER_UNMAPPED; } } while (i != 0); } } else { pInput->pBuffers[i].BufferType &= ~SECBUFFER_UNMAPPED; } } if (FAILED(scRet)) { return(scRet); } } else { NOTHING ; } }
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: AllocateClientBuffers
//
// Synopsis: Allocate space in the client process for TOKEN type buffers
//
// Arguments: [pOutput] --
// [pClientOutput] --
// [pFlags] --
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSAllocateClientBuffers( PSecBufferDesc pOutput, PSecBufferDesc pClientOutput, PUSHORT pFlags){ ULONG i;
DsysAssert(pOutput->cBuffers <= MAX_SECBUFFERS); if (pOutput->cBuffers > MAX_SECBUFFERS) { return(SEC_E_INVALID_TOKEN); }
for (i = 0; i < pOutput->cBuffers ; i++ ) { pClientOutput->pBuffers[i] = pOutput->pBuffers[i]; if (((pOutput->pBuffers[i].BufferType & ~SECBUFFER_ATTRMASK) == SECBUFFER_TOKEN) && (pOutput->pBuffers[i].cbBuffer)) { pClientOutput->pBuffers[i].pvBuffer = LsapClientAllocate(pOutput->pBuffers[i].cbBuffer);
if (!pClientOutput->pBuffers[i].pvBuffer) { return( SEC_E_INSUFFICIENT_MEMORY ); }
*pFlags |= SPMAPI_FLAG_MEMORY;
}
}
return(S_OK);}
//+-------------------------------------------------------------------------
//
// Function: CopyClientBuffers
//
// Synopsis: Copies any mapped buffers over to the client's address
// space. The length is also copies for those buffers.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSCopyClientBuffers( PSecBufferDesc pSource, PSecBufferDesc pDest){ ULONG i; NTSTATUS scRet;
for (i = 0; i < pSource->cBuffers ; i++ ) { //
// Only copy it if the buffer exists and is unmapped -
// otherwise nothing changed or there is nothing and it is
// a waste of time.
//
if (pSource->pBuffers[i].pvBuffer && !(pSource->pBuffers[i].BufferType & SECBUFFER_UNMAPPED)) { DsysAssert(pSource->pBuffers[i].cbBuffer <= pDest->pBuffers[i].cbBuffer);
scRet = LsapCopyToClient( pSource->pBuffers[i].pvBuffer, pDest->pBuffers[i].pvBuffer, pSource->pBuffers[i].cbBuffer );
if (FAILED(scRet)) { //
// Again, we have a real problem when this fails. We
// abort the context and return an error.
//
return(SEC_E_INSUFFICIENT_MEMORY);
}
//
// Copy the length over also
//
pDest->pBuffers[i].cbBuffer = pSource->pBuffers[i].cbBuffer; pDest->pBuffers[i].BufferType = pSource->pBuffers[i].BufferType & (~SECBUFFER_ATTRMASK) ; } } return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LsapWriteClientBuffer
//
// Synopsis: Allocates and copies a buffer out to the client
//
// Arguments: [LsaBuffer] --
// [ClientBuffer] --
//
// History: 4-11-97 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLsapWriteClientBuffer( IN PSecBuffer LsaBuffer, OUT PSecBuffer ClientBuffer ){ NTSTATUS Status ; PVOID Client ;
Status = LsapAllocateClientBuffer( NULL, LsaBuffer->cbBuffer, &Client );
if ( NT_SUCCESS( Status ) ) { Status = LsapCopyToClientBuffer( NULL, LsaBuffer->cbBuffer, Client, LsaBuffer->pvBuffer );
if ( NT_SUCCESS( Status ) ) { ClientBuffer->BufferType = LsaBuffer->BufferType ; ClientBuffer->cbBuffer = LsaBuffer->cbBuffer ; ClientBuffer->pvBuffer = Client ; } else { LsapFreeClientBuffer( NULL, Client ); } }
return Status ;}
//+---------------------------------------------------------------------------
//
// Function: LsapLpcContextCleanup
//
// Synopsis: Cleanup context on failures
//
// Arguments: [pMessage] --
//
// History: 5-10-02 LZhu Created
//
// Notes:
//
//-----------------------------------------------------------------------------
VOIDLsapLpcContextCleanup( PSPM_LPC_MESSAGE pMessage ){ PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
DsysAssert(CallInfo && L"Must have call info present");
switch (pMessage->ApiMessage.dwAPI) { case SPMAPI_InitContext: if (pMessage->ApiMessage.Args.SpmArguments.fAPI & SPMAPI_FLAG_HANDLE_CHG) { SPMInitContextAPI* pInitContext = LPC_MESSAGE_ARGSP(pMessage, InitContext);
DebugLog((DEB_ERROR, "[%#x] LsapLpcContextCleanup deleting InitContext handle %p : %p\n", CallInfo->Session->dwProcessID, pInitContext->hNewContext.dwUpper, pInitContext->hNewContext.dwLower));
AbortLpcContext(&pInitContext->hNewContext); pMessage->ApiMessage.Args.SpmArguments.fAPI &= ~SPMAPI_FLAG_HANDLE_CHG; } break; case SPMAPI_AcceptContext: if (pMessage->ApiMessage.Args.SpmArguments.fAPI & SPMAPI_FLAG_HANDLE_CHG) { SPMAcceptContextAPI* pAcceptContext = LPC_MESSAGE_ARGSP( pMessage, AcceptContext );
pAcceptContext = LPC_MESSAGE_ARGSP(pMessage, AcceptContext);
DebugLog((DEB_ERROR, "[%#x] LsapLpcContextCleanup deleting AcceptContext handle %p : %p\n", CallInfo->Session->dwProcessID, pAcceptContext->hNewContext.dwUpper, pAcceptContext->hNewContext.dwLower));
AbortLpcContext(&pAcceptContext->hNewContext); pMessage->ApiMessage.Args.SpmArguments.fAPI &= ~SPMAPI_FLAG_HANDLE_CHG; } break; default:
//
// no clean up
//
break; }}
//+---------------------------------------------------------------------------
//
// Function: LsapChangeHandle
//
// Synopsis: Changes a handle, based on the current API, session
//
// Arguments: [HandleOp] --
// [OldHandle] --
// [NewHandle] --
//
// History: 9-20-96 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
BOOLLsapChangeHandle( SECHANDLE_OPS HandleOp, PSecHandle OldHandle, PSecHandle NewHandle ){ PLSA_CALL_INFO CallInfo ; PSPM_LPC_MESSAGE pMessage; SPMAcquireCredsAPI *pAcquireCreds; SPMInitContextAPI * pInitContext; SPMAcceptContextAPI *pAcceptContext; BOOL ContextHandle ; PSession pSession ; SecHandle RemoveHandle = { 0 }; PVOID Key ;
CallInfo = LsapGetCurrentCall();
if ( !CallInfo ) { return FALSE ; }
pMessage = CallInfo->Message ;
pSession = CallInfo->Session ;
ContextHandle = TRUE ;
if ( HandleOp == HandleRemoveReplace ) { RemoveHandle = *OldHandle ; }
switch ( pMessage->ApiMessage.dwAPI ) { case SPMAPI_AcquireCreds: pAcquireCreds = LPC_MESSAGE_ARGSP( pMessage, AcquireCreds );
if ( HandleOp == HandleReplace ) { RemoveHandle = pAcquireCreds->hCredential ; }
DebugLog((DEB_TRACE, "[%x] Changing Handle %p : %p to %p : %p\n", pSession->dwProcessID, pAcquireCreds->hCredential.dwUpper, pAcquireCreds->hCredential.dwLower, NewHandle->dwUpper, NewHandle->dwLower ));
pAcquireCreds->hCredential = *NewHandle ;
ContextHandle = FALSE ;
break;
case SPMAPI_InitContext: pInitContext = LPC_MESSAGE_ARGSP( pMessage, InitContext );
if ( HandleOp == HandleReplace ) { RemoveHandle = pInitContext->hContext ; }
DebugLog((DEB_TRACE, "[%x] Changing Handle %p : %p to %p : %p\n", pSession->dwProcessID, pInitContext->hContext.dwUpper, pInitContext->hContext.dwLower, NewHandle->dwUpper, NewHandle->dwLower ));
pInitContext->hNewContext = *NewHandle ;
break;
case SPMAPI_AcceptContext: pAcceptContext = LPC_MESSAGE_ARGSP( pMessage, AcceptContext );
if ( HandleOp == HandleReplace ) { RemoveHandle = pAcceptContext->hContext ; }
DebugLog((DEB_TRACE, "[%x] Changing Handle %p : %p to %p : %p\n", pSession->dwProcessID, pAcceptContext->hNewContext.dwUpper, pAcceptContext->hNewContext.dwLower, NewHandle->dwUpper, NewHandle->dwLower ));
pAcceptContext->hNewContext = *NewHandle ;
break;
default:
return( FALSE ); }
pMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_HANDLE_CHG ;
//
// Clean up the handle references. The old handle is dereferenced,
// the new handle is referenced once (to make up for it).
//
if ( ContextHandle ) { if ( HandleOp != HandleSet ) { DebugLog(( DEB_TRACE, "[%x] Deleting old context handle %p : %p\n", pSession->dwProcessID, RemoveHandle.dwUpper, RemoveHandle.dwLower ));
ValidateAndDerefContextHandle( pSession, &RemoveHandle );
// ValidateContextHandle( pSession, NewHandle, &Key );
}
} else { if ( HandleOp != HandleSet ) { DebugLog(( DEB_TRACE, "[%x] Deleting old credential handle %p : %p\n", pSession->dwProcessID, RemoveHandle.dwUpper, RemoveHandle.dwLower ));
ValidateAndDerefCredHandle( pSession, &RemoveHandle );
// ValidateCredHandle( pSession, NewHandle, &Key );
}
}
return( TRUE );
}
NTSTATUSLsapFixupAuthIdentity( PKSEC_LSA_MEMORY_HEADER KMap, PVOID AuthIdentity ){ PSEC_WINNT_AUTH_IDENTITY_EX AuthEx ; NTSTATUS Status = STATUS_SUCCESS ; ULONG_PTR PoolBase = (ULONG_PTR) -1 ; USHORT i ;
AuthEx = (PSEC_WINNT_AUTH_IDENTITY_EX) AuthIdentity ;
DsysAssert( AuthEx->Version == SEC_WINNT_AUTH_IDENTITY_VERSION );
for ( i = 0 ; i < KMap->MapCount ; i++ ) { if ( (PUCHAR) KMap + KMap->PoolMap[ i ].Offset == (PUCHAR) AuthIdentity ) { PoolBase = (ULONG_PTR) KMap->PoolMap[ i ].Pool ; break; }
}
if ( AuthEx->User ) { if ( (ULONG_PTR) AuthEx->User > PoolBase) { AuthEx->User = (PWSTR) ( (ULONG_PTR) AuthEx->User - PoolBase );
} if ( (ULONG_PTR) AuthEx->User < 0x10000 ) { AuthEx->User = (PWSTR) ((ULONG_PTR)AuthEx->User + (PUCHAR) AuthIdentity);
} else { if ( !LsapIsBlockInKMap( KMap, AuthEx->User ) ) { Status = STATUS_ACCESS_VIOLATION ; } }
} if ( AuthEx->Domain ) { if ( (ULONG_PTR) AuthEx->Domain > PoolBase) { AuthEx->Domain = (PWSTR) ( (ULONG_PTR) AuthEx->Domain - PoolBase );
} if ( (ULONG_PTR) AuthEx->Domain < 0x10000 ) { AuthEx->Domain = (PWSTR) ((ULONG_PTR)AuthEx->Domain + (PUCHAR) AuthIdentity);
} else { if ( !LsapIsBlockInKMap( KMap, AuthEx->Domain ) ) { Status = STATUS_ACCESS_VIOLATION ; } }
} if ( AuthEx->Password ) { if ( (ULONG_PTR) AuthEx->Password > PoolBase) { AuthEx->Password = (PWSTR) ( (ULONG_PTR) AuthEx->Password - PoolBase );
} if ( (ULONG_PTR) AuthEx->Password < 0x10000 ) { AuthEx->Password = (PWSTR) ((ULONG_PTR)AuthEx->Password + (PUCHAR) AuthIdentity);
} else { if ( !LsapIsBlockInKMap( KMap, AuthEx->Password ) ) { Status = STATUS_ACCESS_VIOLATION ; } }
} if ( AuthEx->PackageList ) { if ( (ULONG_PTR) AuthEx->PackageList > PoolBase) { AuthEx->PackageList = (PWSTR) ( (ULONG_PTR) AuthEx->PackageList - PoolBase );
} if ( (ULONG_PTR) AuthEx->PackageList < 0x10000 ) { AuthEx->PackageList = (PWSTR) ((ULONG_PTR)AuthEx->PackageList + (PUCHAR) AuthIdentity);
} else { if ( !LsapIsBlockInKMap( KMap, AuthEx->PackageList ) ) { Status = STATUS_ACCESS_VIOLATION ; } }
}
return Status ;}
//+-------------------------------------------------------------------------
//
// Function: LpcAcquireCreds()
//
// Synopsis: Lpc stub for AcquireCredHandle
//
// Effects: Calls the WLsaAcquire function
//
// Arguments: pApiMessage - Input message
// pApiMessage - Output message
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUSLpcAcquireCreds( PSPM_LPC_MESSAGE pApiMessage ){ UNICODE_STRING ssPrincipalName; UNICODE_STRING ssPackageName; NTSTATUS scApiRet; NTSTATUS scRet; SPMAcquireCredsAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.AcquireCreds;
PLSA_CALL_INFO CallInfo ; PUCHAR Where = NULL;
CallInfo = LsapGetCurrentCall();
DebugLog((DEB_TRACE, "[%x] LpcAcquireCreds()\n", GetCurrentSession()->dwProcessID));
ssPrincipalName.Buffer = NULL; ssPackageName.Buffer = NULL;
if (pArgs->ssPrincipal.Buffer ) { scRet = GetClientString(&pArgs->ssPrincipal, &ssPrincipalName, pApiMessage, &Where); if (FAILED(scRet)) { DebugLog((DEB_ERROR, "GetClientString failed to get principal name 0x%08x\n", scRet)); pApiMessage->ApiMessage.scRet = scRet; return(scRet); }
} else { ssPrincipalName.MaximumLength = 0; ssPrincipalName.Length = 0; ssPrincipalName.Buffer = NULL; }
scRet = GetClientString(&pArgs->ssSecPackage, &ssPackageName, pApiMessage, &Where);
if (FAILED(scRet)) { LsapFreePrivateHeap(ssPrincipalName.Buffer); DebugLog((DEB_ERROR, "GetClientString failed to get package name 0x%08x\n", scRet)); pApiMessage->ApiMessage.scRet = scRet; return(scRet); }
if ( CallInfo->Flags & CALL_FLAG_KERNEL_POOL ) { scRet = LsapFixupAuthIdentity( CallInfo->KMap, pArgs->pvAuthData ); if ( !NT_SUCCESS( scRet ) ) { LsapFreePrivateHeap(ssPrincipalName.Buffer); LsapFreePrivateHeap(ssPackageName.Buffer); DebugLog((DEB_ERROR, "AuthData in KMap not formatted correctly\n" ));
pApiMessage->ApiMessage.scRet = scRet; return(scRet); } }
scApiRet = WLsaAcquireCredHandle( (PSECURITY_STRING) &ssPrincipalName, (PSECURITY_STRING) &ssPackageName, pArgs->fCredentialUse, &pArgs->LogonID, (PVOID) pArgs->pvAuthData, (PVOID) pArgs->pvGetKeyFn, (PVOID) pArgs->ulGetKeyArgument, &pArgs->hCredential, &pArgs->tsExpiry);
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
DebugLog((DEB_TRACE_VERB, "[%x] WLsaAcquire returned %x\n", GetCurrentSession()->dwProcessID, scRet));
LsapFreePrivateHeap(ssPackageName.Buffer);
LsapFreePrivateHeap(ssPrincipalName.Buffer);
pApiMessage->ApiMessage.scRet = scApiRet;
if (FAILED(pApiMessage->ApiMessage.scRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LpcFreeCredHandle
//
// Synopsis: Free a credential handle
//
// Arguments: [pApiMessage] --
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcFreeCredHandle( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS hrApiRet;
DebugLog((DEB_TRACE, "[%x] LpcFreeCreds\n", GetCurrentSession()->dwProcessID));
hrApiRet = WLsaFreeCredHandle(&pApiMessage->ApiMessage.Args.SpmArguments.API.FreeCredHandle.hCredential);
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = hrApiRet;
if (FAILED(hrApiRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LsapCaptureBuffers
//
// Synopsis: Capture client buffers and counts to local memory, validating
// as we go.
//
// Arguments: [InputBuffers] --
// [MappedBuffers] --
// [MapTokenBuffer] --
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLsapCaptureBuffers( IN PUCHAR Base, IN PSecBufferDesc InputBuffers, OUT PSecBufferDesc MappedBuffers, OUT PVOID * CapturedBuffers, IN BOOLEAN MapTokenBuffers ){ NTSTATUS Status = STATUS_SUCCESS ; PSecBuffer LocalCopy ; PSecBufferDesc Capture ; ULONG i ;
//
// Initialize them first:
//
*CapturedBuffers = NULL ;
RtlZeroMemory( MappedBuffers->pBuffers, MappedBuffers->cBuffers * sizeof( SecBuffer ) );
for (i = 0 ; i < MappedBuffers->cBuffers ; i++ ) { MappedBuffers->pBuffers[ i ].BufferType = SECBUFFER_UNMAPPED ; }
if ( InputBuffers->cBuffers > MappedBuffers->cBuffers ) { return STATUS_INVALID_PARAMETER ; }
//
// Sizewise, we're safe to copy now:
//
if ( (ULONG_PTR) InputBuffers->pBuffers < PORT_MAXIMUM_MESSAGE_LENGTH ) { if ((InputBuffers->cBuffers * sizeof( SecBuffer ) > CBPREPACK) || ((ULONG_PTR) InputBuffers->pBuffers + InputBuffers->cBuffers * sizeof(SecBuffer) > PORT_MAXIMUM_MESSAGE_LENGTH)) { return STATUS_INVALID_PARAMETER ; }
LocalCopy = (PSecBuffer) (Base + (ULONG_PTR) InputBuffers->pBuffers );
RtlCopyMemory( MappedBuffers->pBuffers, LocalCopy, InputBuffers->cBuffers * sizeof( SecBuffer ) ); } else { //
// They were too big to fit. Copy them directly from the client
// process:
//
Capture = (PSecBufferDesc) LsapAllocatePrivateHeap( sizeof( SecBufferDesc ) + sizeof( SecBuffer ) * InputBuffers->cBuffers );
if ( Capture == NULL ) { Status = SEC_E_INSUFFICIENT_MEMORY ; } else { Capture->pBuffers = (PSecBuffer) (Capture + 1); Capture->cBuffers = InputBuffers->cBuffers ; Capture->ulVersion = SECBUFFER_VERSION ;
Status = LsapCopyFromClient( InputBuffers->pBuffers, MappedBuffers->pBuffers, InputBuffers->cBuffers * sizeof( SecBuffer ) );
if ( NT_SUCCESS( Status ) ) { RtlCopyMemory( Capture->pBuffers, MappedBuffers->pBuffers, InputBuffers->cBuffers * sizeof( SecBuffer ) );
*CapturedBuffers = Capture ; } else { LsapFreePrivateHeap( Capture ); }
}
}
if ( !NT_SUCCESS( Status ) ) { for ( i = 0 ; i < MappedBuffers->cBuffers ; i++ ) { MappedBuffers->pBuffers[ i ].BufferType = SECBUFFER_UNMAPPED ; } return Status ; }
//
// Touch up the mapped buffers so that the count is correct
//
MappedBuffers->cBuffers = InputBuffers->cBuffers ;
//
// try to map the security blob one:
//
if ( MapTokenBuffers ) { Status = MapTokenBuffer( MappedBuffers, TRUE ); } else { Status = STATUS_SUCCESS ; }
return Status ;
}
VOIDLsapResetKsecBuffer( PKSEC_LSA_MEMORY_HEADER Header ){ Header->Consumed = Header->Preserve ; Header->MapCount = 0 ; RtlZeroMemory( Header->PoolMap, sizeof( KSEC_LSA_POOL_MAP ) * KSEC_LSA_MAX_MAPS );
}
//+---------------------------------------------------------------------------
//
// Function: LsapCreateKsecBuffer
//
// Synopsis: Creates a kmap buffer to return to ksecdd
//
// Arguments: [InitialSize] -- Minimum size of the buffer
//
// History: 2-9-01 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
PKSEC_LSA_MEMORY_HEADERLsapCreateKsecBuffer( SIZE_T InitialSize ){ PKSEC_LSA_MEMORY_HEADER Header = NULL ; NTSTATUS Status ; SIZE_T Size = LSA_MAX_KMAP_SIZE ;
InitialSize += sizeof( KSEC_LSA_MEMORY_HEADER );
DsysAssert( InitialSize < Size );
Status = NtAllocateVirtualMemory( NtCurrentProcess(), (PVOID *) &Header, 0, &Size, MEM_RESERVE, PAGE_READWRITE );
if ( NT_SUCCESS( Status ) ) { Status = NtAllocateVirtualMemory( NtCurrentProcess(), (PVOID *) &Header, 0, &InitialSize, MEM_COMMIT, PAGE_READWRITE );
if ( NT_SUCCESS( Status ) ) { Header->Size = LSA_MAX_KMAP_SIZE ; Header->Commit = (ULONG) InitialSize ; Header->Preserve = sizeof( KSEC_LSA_MEMORY_HEADER );
LsapResetKsecBuffer( Header );
} else { NtFreeVirtualMemory( NtCurrentProcess(), (PVOID *) &Header, 0, MEM_RELEASE );
Header = NULL ; } }
return Header ;
}
PVOIDLsapAllocateFromKsecBuffer( PKSEC_LSA_MEMORY_HEADER Header, ULONG Size ){
SIZE_T DesiredSize ; NTSTATUS Status ; PVOID Block ; PVOID Page ;
Size = ROUND_UP_COUNT( Size, ALIGN_LPVOID );
if ( Header->Consumed + Size > Header->Commit ) { DesiredSize = Header->Commit - Header->Consumed + Size ;
DesiredSize = ROUND_UP_COUNT( DesiredSize, LsapPageSize );
Page = (PUCHAR) Header + Header->Commit ;
Status = NtAllocateVirtualMemory( NtCurrentProcess(), &Page, 0, &DesiredSize, MEM_COMMIT, PAGE_READWRITE );
if ( NT_SUCCESS( Status ) ) { Header->Commit += (ULONG) DesiredSize ;
}
}
if ( Header->Consumed + Size <= Header->Commit ) { Block = (PVOID) ((PUCHAR) Header + Header->Consumed) ;
Header->Consumed += Size ;
} else {
Block = NULL ; }
return Block ;}
//+---------------------------------------------------------------------------
//
// Function: LsapUncaptureBuffers
//
// Synopsis: Return all the buffers to the client process.
//
// Arguments: [Base] -- Base address of message
// [CapturedBuffers]-- Captured buffer descriptions
// [InputBuffers] -- Buffers supplied by the client
// [MappedBuffers] -- Mapped buffers
// [AllocateMemory] -- Allocate memory for
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLsapUncaptureBuffers( IN PUCHAR Base, IN OUT PVOID * CapturedBuffers, IN OUT PSecBufferDesc InputBuffers, IN OUT PSecBufferDesc MappedBuffers, IN BOOL AllocateMemory, IN BOOL CopyBack, OUT PULONG pFlags ){ NTSTATUS Status = STATUS_SUCCESS ; PSecBuffer Buffers ; PSecBufferDesc Capture ; ULONG i ; PVOID Scratch ; PVOID ScratchBuffers[ MAX_SECBUFFERS ]; PSecBufferDesc Input; SecBufferDesc InputFixup ; PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
DebugLog(( DEB_TRACE_SPECIAL, "LsapUncaptureBuffers:\n" ));
RtlZeroMemory( ScratchBuffers, sizeof( ScratchBuffers ) );
Capture = (PSecBufferDesc) *CapturedBuffers ;
if ( InputBuffers ) {
if ( Capture ) { DebugLog(( DEB_TRACE_SPECIAL, " using captured buffers\n" )); Input = Capture ; } else { if ( (ULONG_PTR) InputBuffers->pBuffers < PORT_MAXIMUM_MESSAGE_LENGTH ) { //
// Time to fix up:
//
InputFixup.pBuffers = (PSecBuffer) (Base + (ULONG_PTR) InputBuffers->pBuffers ); InputFixup.cBuffers = InputBuffers->cBuffers ; InputFixup.ulVersion = SECBUFFER_VERSION ;
Input = &InputFixup ; DebugLog(( DEB_TRACE_SPECIAL, " using buffers in message\n" )); } else { Input = InputBuffers ; DebugLog(( DEB_TRACE_SPECIAL, " using buffers from caller\n" )); }
}
//
// First, handle the map back to the client process
//
for ( i = 0 ; i < MappedBuffers->cBuffers ; i++ ) {
//
// If this is a read only buffer, or it was not mapped across,
// skip it. There is no change that will go back to the client.
//
DebugLog(( DEB_TRACE_SPECIAL, " Processing buffer %d, <t=%x [%c%c%c],cb=%x,pv=%p>\n", i, MappedBuffers->pBuffers[ i ].BufferType & ~SECBUFFER_ATTRMASK, (MappedBuffers->pBuffers[ i ].BufferType & SECBUFFER_READONLY ? 'R' : ' '), (MappedBuffers->pBuffers[ i ].BufferType & SECBUFFER_UNMAPPED ? 'U' : ' '), (MappedBuffers->pBuffers[ i ].BufferType & SECBUFFER_KERNEL_MAP ? 'K' : ' '), MappedBuffers->pBuffers[ i ].cbBuffer, MappedBuffers->pBuffers[ i ].pvBuffer ));
//
// For readonly or untouched buffers, skip them.
//
if ( ( MappedBuffers->pBuffers[ i ].BufferType & SECBUFFER_ATTRMASK ) == ( SECBUFFER_READONLY | SECBUFFER_UNMAPPED ) ) { DebugLog(( DEB_TRACE_SPECIAL, " Buffer %d: skipped\n", i )); continue; }
//
// If this is a SSPI security blob (aka a token), decide what
// needs to be done:
//
if ( ( MappedBuffers->pBuffers[ i ].BufferType & (~SECBUFFER_ATTRMASK) ) == SECBUFFER_TOKEN ) { if ( ( MappedBuffers->pBuffers[ i ].cbBuffer > 0 ) && ( CopyBack ) ) { DebugLog(( DEB_TRACE_SPECIAL, " Copying back buffer %d\n", i ));
if ( CallInfo->Flags & CALL_FLAG_KMAP_USED ) { //
// KMap case:
//
Scratch = LsapAllocateFromKsecBuffer( CallInfo->KMap, MappedBuffers->pBuffers[ i ].cbBuffer );
if ( !Scratch ) { Status = SEC_E_INSUFFICIENT_MEMORY ; break;
}
*pFlags |= SPMAPI_FLAG_KMAP_MEM ;
} else if ( AllocateMemory ) { Scratch = LsapClientAllocate( MappedBuffers->pBuffers[ i ].cbBuffer );
//
// Allocation failed, break out of the loop with a failure
// status code, and handle the failure there:
//
if ( !Scratch ) { Status = SEC_E_INSUFFICIENT_MEMORY ; break; }
*pFlags |= SPMAPI_FLAG_MEMORY; } else {
Scratch = Input->pBuffers[ i ].pvBuffer ; if ( Input->pBuffers[ i ].cbBuffer < MappedBuffers->pBuffers[ i ].cbBuffer ) { //
// Buffer too small. Break out and return the failure
//
Status = STATUS_BUFFER_TOO_SMALL ; break; } }
//
// Copy the buffer back to the client address space
//
ScratchBuffers[ i ] = Scratch ;
if ( CallInfo->Flags & CALL_FLAG_KMAP_USED ) { DebugLog(( DEB_TRACE_SPECIAL, " Copying %x bytes from %p to %p [KMap]\n", MappedBuffers->pBuffers[ i ].cbBuffer, MappedBuffers->pBuffers[ i ].pvBuffer, Scratch ));
RtlCopyMemory( Scratch, MappedBuffers->pBuffers[ i ].pvBuffer, MappedBuffers->pBuffers[ i ].cbBuffer );
Status = STATUS_SUCCESS ;
} else { DebugLog(( DEB_TRACE_SPECIAL, " Copying %x bytes from %p to %p\n", MappedBuffers->pBuffers[ i ].cbBuffer, MappedBuffers->pBuffers[ i ].pvBuffer, Scratch ));
Status = LsapCopyToClient( MappedBuffers->pBuffers[ i ].pvBuffer, Scratch, MappedBuffers->pBuffers[ i ].cbBuffer );
}
if ( !NT_SUCCESS( Status ) ) { break; }
} else { //
// For zero length buffers that appear to be mapped, set scratch
// equal to the original input value.
//
DebugLog(( DEB_TRACE_SPECIAL, " Zero length buffer\n" ));
ScratchBuffers[ i ] = Input->pBuffers[ i ].pvBuffer ; } } else { //
// This is not a token buffer, it is a EXTRA, or PADDING, or
// one of those. Turn off the mapping bit, and copy out
// the buffer value.
//
DebugLog(( DEB_TRACE_SPECIAL, " Special buffer [%p] passed back\n", Input->pBuffers[ i ].pvBuffer ));
ScratchBuffers[ i ] = Input->pBuffers[ i ].pvBuffer ; }
} } else {
DebugLog(( DEB_TRACE_SPECIAL, "InputBuffers is NULL, just walking and freeing\n" )); }
//
// Now go through and free any allocated memory
//
for ( i = 0 ; i < MappedBuffers->cBuffers ; i++ ) { if ( (MappedBuffers->pBuffers[ i ].BufferType & SECBUFFER_UNMAPPED) == 0 ) { //
// This buffer was mapped in. Free it.
//
if ( !LsapIsBlockInKMap( CallInfo->KMap, MappedBuffers->pBuffers[ i ].pvBuffer ) ) { LsapFreeLsaHeap( MappedBuffers->pBuffers[ i ].pvBuffer );
} else { DebugLog(( DEB_TRACE_SPECIAL, "Buffer at %p is in KMap\n", MappedBuffers->pBuffers[ i ].pvBuffer )); } }
//
// Turn off our bit
//
MappedBuffers->pBuffers[ i ].BufferType &= ~(SECBUFFER_UNMAPPED);
//
// If we allocated a new buffer (here or in the client), it's
// been stored away in the scratch array, and we copy it in
//
if ( ScratchBuffers[ i ] ) { MappedBuffers->pBuffers[ i ].pvBuffer = ScratchBuffers[ i ]; } }
if ( InputBuffers ) { if ( NT_SUCCESS( Status ) ) { //
// Now, copy back the buffer descriptors. Note that in the normal (optimal)
// case, this will fit into the LPC message. Otherwise, we have to copy
if ( (ULONG_PTR) InputBuffers->pBuffers < PORT_MAXIMUM_MESSAGE_LENGTH ) { Buffers = (PSecBuffer) (Base + (ULONG_PTR) InputBuffers->pBuffers );
RtlCopyMemory( Buffers, MappedBuffers->pBuffers, MappedBuffers->cBuffers * sizeof( SecBuffer ) ); } else { Status = LsapCopyToClient( MappedBuffers->pBuffers, InputBuffers->pBuffers, MappedBuffers->cBuffers * sizeof( SecBuffer ) ); }
InputBuffers->cBuffers = MappedBuffers->cBuffers ; }
}
if ( Capture ) { LsapFreePrivateHeap( Capture ); *CapturedBuffers = NULL ; }
return Status ;
}
//+---------------------------------------------------------------------------
//
// Function: LsapChangeBuffer
//
// Synopsis: Switches a buffer around. If the old one needs to be freed,
// it is cleaned up.
//
// Arguments: [Old] --
// [New] --
//
// Returns:
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLsapChangeBuffer( PSecBuffer Old, PSecBuffer New ){ if ( ( Old->BufferType & SECBUFFER_KERNEL_MAP ) == 0 ) { if ( ( Old->BufferType & SECBUFFER_UNMAPPED ) == 0 ) { LsapFreeLsaHeap( Old->pvBuffer ); }
}
*Old = *New ;
return STATUS_SUCCESS ;}
NTSTATUSLsapCheckMarshalledTargetInfo( IN PUNICODE_STRING TargetServerName ){ ULONG CandidateSize;
NTSTATUS Status;
//
// If target info wasn't supplied,
// do nothing
//
if( (TargetServerName == NULL) || (TargetServerName->Buffer == NULL) || (TargetServerName->Length == 0) ) { return STATUS_SUCCESS; }
//
// Unmarshal without asking for the unmarshaled data to get the size of the marshaled data
//
Status = CredUnmarshalTargetInfo ( TargetServerName->Buffer, TargetServerName->Length, NULL, &CandidateSize );
if( !NT_SUCCESS(Status) ) { if( Status == STATUS_INVALID_PARAMETER ) { Status = STATUS_SUCCESS; } } else {
//
// marshalled information was found. adjust the Length to
// represent the non-marshalled content, and MaximumLength to
// include non-marshalled+marshalled content. This allows legacy
// packages to continue to handle the TargetServerName string properly.
//
TargetServerName->MaximumLength = TargetServerName->Length; TargetServerName->Length -= (USHORT)CandidateSize; }
return Status ;}
//+-------------------------------------------------------------------------
//
// Function: LpcInitContext()
//
// Synopsis: LPC Serverside InitializeSecurityContext
//
// Notes: OutputBuffers and LocalOutput are the local copy of the
// output buffers. The secbuffers in the ApiMessage point
// to client addresses.
//
//--------------------------------------------------------------------------
NTSTATUSLpcInitContext( PSPM_LPC_MESSAGE pApiMessage )
{ UNICODE_STRING ssTarget = {0,0,NULL}; NTSTATUS scApiRet; NTSTATUS scRet; ULONG i; PSecBufferDesc pOutput = NULL; PSecBufferDesc pInput = NULL; PVOID CapturedInput = NULL ; PVOID CapturedOutput = NULL ; SecBufferDesc LocalOutput; SecBufferDesc LocalInput ; SPMInitContextAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.InitContext; PUCHAR Where = NULL; SecBuffer ContextData = {0,0,NULL}; SecBuffer OutputBuffers[MAX_SECBUFFERS]; SecBuffer InputBuffers[MAX_SECBUFFERS]; BOOLEAN MappedOutput = FALSE; BOOLEAN FirstCall ; DWORD Flags ; PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
DebugLog((DEB_TRACE, "[%x] LpcInitContext()\n", GetCurrentSession()->dwProcessID));
DebugLog((DEB_TRACE_VERB, " hCredentials = %d:%d\n", pArgs->hCredential.dwUpper, pArgs->hCredential.dwLower));
//
// Copy target string to local space:
//
scRet = GetClientString(&pArgs->ssTarget, &ssTarget, pApiMessage, &Where); if (FAILED(scRet)) { pApiMessage->ApiMessage.scRet = scRet; pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; DebugLog((DEB_ERROR, "LpcInitContext, no target, error %x\n", scRet)); return(scRet); }
//
// check if the caller supplied marshalled target info.
// this will update the Length and MaximumLength fields
// if marshalled info was present.
//
LsapCheckMarshalledTargetInfo( &ssTarget );
//
// Set all the SecBuffer's to be unmapped, but map the Security token
//
LocalInput.pBuffers = InputBuffers ; LocalInput.ulVersion = SECBUFFER_VERSION ;
if (pArgs->sbdInput.cBuffers) {
pInput = &pArgs->sbdInput;
//
// If there is a buffer, reset the pointer and
// map it
//
LocalInput.cBuffers = MAX_SECBUFFERS ;
scRet = LsapCaptureBuffers( (PUCHAR) pArgs, pInput, &LocalInput, &CapturedInput, TRUE );
if ( !NT_SUCCESS( scRet ) ) { pInput = NULL ; scApiRet = scRet ; goto InitCleanExit ; }
} else { LocalInput.pBuffers = InputBuffers ; LocalInput.cBuffers = 0 ; LocalInput.ulVersion = SECBUFFER_VERSION ; }
//
// Copy the output SecBuffer's so that if they get mapped we can
// still copy back the data
//
pOutput = &pArgs->sbdOutput; if (pOutput->cBuffers) { LocalOutput.cBuffers = MAX_SECBUFFERS ; LocalOutput.pBuffers = OutputBuffers; LocalOutput.ulVersion = SECBUFFER_VERSION ;
scRet = LsapCaptureBuffers( (PUCHAR) pArgs, pOutput, &LocalOutput, &CapturedOutput, FALSE );
if ( !NT_SUCCESS( scRet ) ) { scApiRet = scRet ; goto Init_FreeStringAndExit ; }
MappedOutput = TRUE; } else { LocalOutput.cBuffers = 0 ; LocalOutput.pBuffers = OutputBuffers ; LocalOutput.ulVersion = SECBUFFER_VERSION ; }
if (pArgs->sbdOutput.cBuffers && !(pArgs->fContextReq & ISC_REQ_ALLOCATE_MEMORY)) { if (FAILED(scRet = MapTokenBuffer(&LocalOutput, FALSE))) { scApiRet = scRet; goto InitCleanExit; } }
//
// Call the worker for relay to the package:
//
if ( ( pArgs->hContext.dwUpper == 0 ) && ( pArgs->hContext.dwLower == 0 ) ) { FirstCall = TRUE ; } else { FirstCall = FALSE ; }
scApiRet = WLsaInitContext( &pArgs->hCredential, &pArgs->hContext, (PSECURITY_STRING) &ssTarget, pArgs->fContextReq, pArgs->dwReserved1, pArgs->TargetDataRep, &LocalInput, // &pArgs->sbdInput,
pArgs->dwReserved2, &pArgs->hNewContext, &LocalOutput, &pArgs->fContextAttr, &pArgs->tsExpiry, &pArgs->MappedContext, &ContextData );
// DsysAssert( scApiRet != SEC_E_INVALID_HANDLE );
if( scApiRet == SEC_E_INVALID_HANDLE || scApiRet == STATUS_INVALID_HANDLE ) { DebugLog((DEB_ERROR, "[%x] LpcInitContext() returning invalid handle\n", GetCurrentSession()->dwProcessID));
DebugLog((DEB_ERROR, " hCredentials = %p:%p\n", pArgs->hCredential.dwUpper, pArgs->hCredential.dwLower)); DebugLog((DEB_ERROR, " hContext = %p:%p\n", pArgs->hContext.dwUpper, pArgs->hContext.dwLower));
DsysAssert( ShutdownBegun ); }
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
//
// If this is the failure case, don't bother copying everything down.
//
if (FAILED(scApiRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET;
//
// Unmap any output buffers
//
Flags = 0 ;
scRet = LsapUncaptureBuffers( (PUCHAR) pArgs, &CapturedOutput, &pArgs->sbdOutput, &LocalOutput, FALSE, FALSE, &Flags );
} else { //
// Now we have to look at the output and copy all the mapped
// buffers back.
//
Flags = pApiMessage->ApiMessage.Args.SpmArguments.fAPI ;
//
// if a KMap is present, use it.
//
if ( CallInfo->KMap ) { CallInfo->Flags |= CALL_FLAG_KMAP_USED ; }
scRet = LsapUncaptureBuffers( (PUCHAR) pArgs, &CapturedOutput, &pArgs->sbdOutput, &LocalOutput, (pArgs->fContextReq & ISC_REQ_ALLOCATE_MEMORY) ? TRUE : FALSE, TRUE, &Flags );
pApiMessage->ApiMessage.Args.SpmArguments.fAPI = (USHORT) Flags ;
if (NT_SUCCESS(scRet) && (ContextData.cbBuffer != 0)) { pArgs->ContextData = ContextData; pArgs->ContextData.pvBuffer = LsapClientAllocate(ContextData.cbBuffer); if ( pArgs->ContextData.pvBuffer ) { scRet = LsapCopyToClient( ContextData.pvBuffer, pArgs->ContextData.pvBuffer, ContextData.cbBuffer ); } else { scRet = SEC_E_INSUFFICIENT_MEMORY ; } }
if (FAILED(scRet)) { //
// Again, we have a real problem when this fails. We
// abort the context and return an error.
//
if ( FirstCall ) { AbortLpcContext(&pArgs->hNewContext); }
scApiRet = scRet;
goto InitCleanExit;
}
}
InitCleanExit:
pApiMessage->ApiMessage.scRet = scApiRet;
//
// Unmap the input buffers
//
scRet = LsapUncaptureBuffers( (PUCHAR) pArgs, &CapturedInput, &pArgs->sbdInput, &LocalInput, FALSE, FALSE, NULL );
if (ContextData.pvBuffer != NULL) { LsapFreeLsaHeap(ContextData.pvBuffer); }
if (FAILED(scRet) && (pArgs->ContextData.pvBuffer != NULL)) { LsapClientFree(pArgs->ContextData.pvBuffer); pArgs->ContextData.pvBuffer;
}
Init_FreeStringAndExit:
//
// Test the string pointer. If it is within the KMap, do
// not free it. If there is no KMap, or it was separately
// allocated, free it:
//
if ( !LsapIsBlockInKMap( CallInfo->KMap, ssTarget.Buffer ) ) { LsapFreePrivateHeap( ssTarget.Buffer );
}
return(scRet);}
//+-------------------------------------------------------------------------
//
// Function: LpcAcceptContext()
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes: The memory management is kind of weird. The input buffers
// are mapped into the SPMgr's memory and can be freed. Easy.
// The output buffers are more complex. The original buffer
// pointers are kep in the arguments structure, while the
// local copies are kept in LocalOutput.
//
//--------------------------------------------------------------------------
NTSTATUSLpcAcceptContext( PSPM_LPC_MESSAGE pApiMessage )
{ NTSTATUS scRet = S_OK; NTSTATUS scApiRet; ULONG i; SecBufferDesc LocalOutput; SecBufferDesc LocalInput ; PSecBufferDesc pInput = NULL; PSecBufferDesc pOutput = NULL ; SPMAcceptContextAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.AcceptContext; BOOLEAN MappedOutput = FALSE; BOOLEAN FirstCall ; BOOL CopyBack = FALSE ; DWORD Flags ; PVOID CapturedInput = NULL ; PVOID CapturedOutput = NULL ;
SecBuffer OutputBuffers[MAX_SECBUFFERS]; SecBuffer InputBuffers[MAX_SECBUFFERS]; SecBuffer ContextData = {0,0,NULL}; PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
DebugLog((DEB_TRACE, "[%x] LpcAcceptContext\n", GetCurrentSession()->dwProcessID));
// Copy input token to local space:
//
// Set all the SecBuffer's to be unmapped, but map the Security token
//
pInput = &pArgs->sbdInput;
LocalInput.pBuffers = InputBuffers ; LocalInput.cBuffers = MAX_SECBUFFERS ; LocalInput.ulVersion = SECBUFFER_VERSION ;
if (pInput->cBuffers) {
scRet = LsapCaptureBuffers( (PUCHAR) pArgs, pInput, &LocalInput, &CapturedInput, TRUE );
if ( !NT_SUCCESS( scRet ) ) { scApiRet = scRet; goto AcceptCleanExit; } } else { LocalInput.cBuffers = 0 ; }
//
// Copy the output SecBuffer's so that if they get mapped we can
// still copy back the data
//
LocalOutput.cBuffers = MAX_SECBUFFERS ; LocalOutput.pBuffers = OutputBuffers ; LocalOutput.ulVersion = SECBUFFER_VERSION ;
pOutput = &pArgs->sbdOutput ;
if ( pOutput->cBuffers ) { scRet = LsapCaptureBuffers( (PUCHAR) pArgs, pOutput, &LocalOutput, &CapturedOutput, FALSE );
if ( !NT_SUCCESS( scRet ) ) { scApiRet = scRet ;
goto AcceptCleanExit ; }
#if DBG
if ( (pArgs->fContextReq & ASC_REQ_ALLOCATE_MEMORY ) == 0 ) { for ( i = 0 ; i < LocalOutput.cBuffers ; i++ ) { if ( (LocalOutput.pBuffers[ i ].BufferType & (~SECBUFFER_ATTRMASK)) == SECBUFFER_TOKEN ) { DsysAssert( LocalOutput.pBuffers[ i ].cbBuffer > 0 );
}
}
}#endif
} else { LocalOutput.cBuffers = 0 ; }
MappedOutput = TRUE; if (LocalOutput.cBuffers && !(pArgs->fContextReq & ASC_REQ_ALLOCATE_MEMORY)) {
if (FAILED(scRet = MapTokenBuffer(&LocalOutput,FALSE))) { scApiRet = scRet; goto AcceptCleanExit; } } else { //
// Since they asked us to allocate memory, ensure the output
// buffers are NULL.
//
for (i = 0; i < LocalOutput.cBuffers ; i++ ) { LocalOutput.pBuffers[i].pvBuffer = NULL; } }
if ( ( pArgs->hContext.dwUpper == 0 ) && ( pArgs->hContext.dwLower == 0 ) ) { FirstCall = TRUE ; } else { FirstCall = FALSE ; }
scApiRet = WLsaAcceptContext( &pArgs->hCredential, &pArgs->hContext, &LocalInput, pArgs->fContextReq, pArgs->TargetDataRep, &pArgs->hNewContext, &LocalOutput, &pArgs->fContextAttr, &pArgs->tsExpiry, &pArgs->MappedContext, &ContextData );
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET;
if (FAILED(scApiRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET;
//
// Copy the sizes from the output security buffers in case they
// are used to indicate how much space is required
//
if ((pArgs->fContextAttr & ASC_RET_EXTENDED_ERROR) == 0) { CopyBack = FALSE ; } else { CopyBack = TRUE ; } } else { CopyBack = TRUE ; }
//
// Turn on this flag on return, so that all allocations will come
// out of the map. This is safe because KMap would only be set
// for the right callers.
//
if ( CallInfo->KMap ) { CallInfo->Flags |= CALL_FLAG_KMAP_USED ; }
if (NT_SUCCESS(scRet) && (ContextData.cbBuffer != 0)) { pArgs->ContextData = ContextData; pArgs->ContextData.pvBuffer = LsapClientAllocate(ContextData.cbBuffer); if (pArgs->ContextData.pvBuffer == NULL) { scRet = SEC_E_INSUFFICIENT_MEMORY; } else { scRet = LsapCopyToClient( ContextData.pvBuffer, pArgs->ContextData.pvBuffer, ContextData.cbBuffer );
if ( !NT_SUCCESS( scRet ) ) { DebugLog(( DEB_ERROR, "Copy to Client failed, %x. Client addr %p, size %#x\n", scRet, pArgs->ContextData.pvBuffer, ContextData.cbBuffer ));
}
} }
if ( NT_SUCCESS( scRet ) ) { Flags = pApiMessage->ApiMessage.Args.SpmArguments.fAPI ;
#if DBG
if ( ( scRet == SEC_I_CONTINUE_NEEDED ) && ( LocalInput.pBuffers[0].cbBuffer < 2048 ) ) { ULONG t ;
for ( t = 0 ; t < LocalOutput.cBuffers ; t++ ) { if ( ( LocalOutput.pBuffers[ t ].BufferType & 0xFFFF ) == SECBUFFER_TOKEN ) { DsysAssert( LocalOutput.pBuffers[ t ].cbBuffer > 0 );
}
}
}#endif
scRet = LsapUncaptureBuffers( (PUCHAR) pArgs, &CapturedOutput, &pArgs->sbdOutput, &LocalOutput, (pArgs->fContextReq & ASC_REQ_ALLOCATE_MEMORY ) ? TRUE : FALSE, CopyBack, &Flags );
pApiMessage->ApiMessage.Args.SpmArguments.fAPI = (USHORT) Flags ;
}
if (FAILED(scRet)) {
if ( FirstCall ) { AbortLpcContext(&pArgs->hNewContext); }
if( scRet == SEC_E_INSUFFICIENT_MEMORY ) { DebugLog((DEB_ERROR,"[%x] Accept Failed, low memory handle passed: %p:%p\n", GetCurrentSession()->dwProcessID, pArgs->hNewContext.dwUpper, pArgs->hNewContext.dwLower )); }
//
// Turn off any flags that would cause the client to try and send
// an invalid blob:
//
pArgs->fContextAttr &= ~ ( ASC_RET_EXTENDED_ERROR );
scApiRet = scRet;
goto AcceptCleanExit; }
AcceptCleanExit:
pApiMessage->ApiMessage.scRet = scApiRet;
//
// This is cool. Either I allocated the buffer, and I can free it this
// way, or the package allocated it. If the package allocated, then the
// address is in this buffer, and I free it. So cool.
//
scRet = LsapUncaptureBuffers( (PUCHAR) pArgs, &CapturedInput, &pArgs->sbdInput, &LocalInput, FALSE, FALSE, NULL );
if (ContextData.pvBuffer != NULL) { LsapFreeLsaHeap(ContextData.pvBuffer); }
if (FAILED(scRet) && (pArgs->ContextData.pvBuffer != NULL)) { LsapClientFree(pArgs->ContextData.pvBuffer); pArgs->ContextData.pvBuffer = NULL; }
return(scRet);}
//+-------------------------------------------------------------------------
//
// Function: LpcEstablishCreds
//
// Synopsis: Lpc stub for WLsaEstablishCreds()
//
// Notes: obsolete
//
//--------------------------------------------------------------------------
NTSTATUSLpcEstablishCreds( PSPM_LPC_MESSAGE pApiMessage ){ pApiMessage->ApiMessage.scRet = STATUS_NOT_SUPPORTED ; pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET;
return STATUS_SUCCESS ;}
//+-------------------------------------------------------------------------
//
// Function: LpcDeleteContext
//
// Synopsis: Delete context
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUSLpcDeleteContext( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; SPMDeleteContextAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.DeleteContext;
scRet = WLsaDeleteContext( &pArgs->hContext );
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = scRet;
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LpcGetBinding
//
// Synopsis: Get the DLL binding info for a package
//
// Arguments: [pApiMessage] --
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcGetBinding( PSPM_LPC_MESSAGE pApiMessage ){ SPMGetBindingAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.GetBinding; NTSTATUS scRet; ULONG Size; PWSTR Base; PWSTR Remote;
pArgs->BindingInfo.PackageName.Buffer = NULL ; pArgs->BindingInfo.Comment.Buffer = NULL ;
scRet = WLsaGetBinding( pArgs->ulPackageId, &pArgs->BindingInfo, &Size, &Base );
if (SUCCEEDED(scRet)) { //
// We succeeded so now we have to copy the two strings
//
Remote = (PWSTR) LsapClientAllocate( Size );
if (Remote != NULL) { LsapCopyToClient( Base, Remote, Size );
pArgs->BindingInfo.PackageName.Buffer = Remote ; pArgs->BindingInfo.Comment.Buffer = Remote + pArgs->BindingInfo.PackageName.MaximumLength / 2;
pArgs->BindingInfo.ModuleName.Buffer = pArgs->BindingInfo.Comment.Buffer + pArgs->BindingInfo.Comment.MaximumLength / 2; } else { scRet = SEC_E_INSUFFICIENT_MEMORY; }
LsapFreeLsaHeap( Base );
} pApiMessage->ApiMessage.scRet = scRet;
return(scRet);
}
//+---------------------------------------------------------------------------
//
// Function: LpcSetSession
//
// Synopsis: Internal function to set session options, including the
// hook to do direct calls while in-process.
//
// Arguments: [pApiMessage] --
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcSetSession( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; SPMSetSessionAPI * Args = &pApiMessage->ApiMessage.Args.SpmArguments.API.SetSession ;
DebugLog((DEB_TRACE_VERB,"SetSession\n"));
scRet = LsapSetSessionOptions( Args->Request, Args->Argument, &Args->Response );
pApiMessage->ApiMessage.scRet = STATUS_SUCCESS;
return(scRet);}
//+---------------------------------------------------------------------------
//
// Function: LpcFindPackage
//
// Synopsis: Locates a package by id
//
// Arguments: [pApiMessage] --
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcFindPackage( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; SECURITY_STRING ssPackageName; SPMFindPackageAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.FindPackage; PUCHAR Where = NULL;
scRet = GetClientString(&pArgs->ssPackageName,&ssPackageName, pApiMessage, &Where); if (FAILED(scRet)) { pApiMessage->ApiMessage.scRet = scRet; return(scRet); }
DebugLog((DEB_TRACE_VERB,"Find Package called for %wZ\n",&ssPackageName));
scRet = WLsaFindPackage(&ssPackageName,&pArgs->ulPackageId);
LsapFreePrivateHeap(ssPackageName.Buffer);
pApiMessage->ApiMessage.scRet = scRet; return(scRet);
}
//+---------------------------------------------------------------------------
//
// Function: LpcEnumPackages
//
// Synopsis: Enumerate available packages
//
// Arguments: [pApiMessage] --
//
// History: 8-14-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcEnumPackages( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; SPMEnumPackagesAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.EnumPackages;
scRet = WLsaEnumeratePackages(&pArgs->cPackages,&pArgs->pPackages);
pApiMessage->ApiMessage.scRet = scRet; return(scRet);
}
//+-------------------------------------------------------------------------
//
// Function: LpcApplyToken
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcApplyToken( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; SPMApplyTokenAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.ApplyToken; ULONG i;
pArgs->sbdInput.pBuffers = pArgs->sbInputBuffer;
scRet = MapTokenBuffer(&pArgs->sbdInput, TRUE); if (FAILED(scRet)) { return(SEC_E_INSUFFICIENT_MEMORY); }
scRet = WLsaApplyControlToken( &pArgs->hContext, &pArgs->sbdInput);
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = scRet;
for (i = 0; i < pArgs->sbdInput.cBuffers; i++ ) { if (!(pArgs->sbdInput.pBuffers[i].BufferType & SECBUFFER_UNMAPPED)) { LsapFreeLsaHeap(pArgs->sbdInput.pBuffers[i].pvBuffer); } }
return(scRet);}
//+-------------------------------------------------------------------------
//
// Function: LpcQueryPackage
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcQueryPackage( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; SPMQueryPackageAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.QueryPackage; SECURITY_STRING ssPackageName; BOOLEAN fNameAlloc = FALSE; BOOLEAN fCommentAlloc = FALSE; LPWSTR pszNameString = NULL; LPWSTR pszCommentString = NULL; ULONG cbLength; PUCHAR Where = NULL;
scRet = GetClientString(&pArgs->ssPackageName,&ssPackageName, pApiMessage, &Where); if (FAILED(scRet)) { pApiMessage->ApiMessage.scRet = scRet; return(scRet); }
DebugLog((DEB_TRACE_VERB,"Querying package %wZ\n",&ssPackageName));
scRet = WLsaQueryPackageInfo( &ssPackageName, &pArgs->pPackageInfo);
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
DebugLog((DEB_TRACE_VERB,"Querying package returned %x\n",scRet));
LsapFreePrivateHeap(ssPackageName.Buffer); pApiMessage->ApiMessage.scRet = scRet;
return(scRet);}
//+-------------------------------------------------------------------------
//
// Function: LpcGetUserInfo
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcGetUserInfo( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; static LUID lFake = {0,0}; SPMGetUserInfoAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.GetUserInfo; PLUID pLogonId;
if ((pArgs->LogonId.LowPart == 0) && (pArgs->LogonId.HighPart == 0)) { pLogonId = NULL; } else pLogonId = &pArgs->LogonId;
scRet = WLsaGetSecurityUserInfo( pLogonId, pArgs->fFlags, &pArgs->pUserInfo );
pApiMessage->ApiMessage.scRet = scRet; return(scRet);
}
//+-------------------------------------------------------------------------
//
// Function: LpcGetCreds
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcGetCreds( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scRet; SPMGetCredsAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.GetCreds;
scRet = SEC_E_UNSUPPORTED_FUNCTION;
pApiMessage->ApiMessage.scRet = scRet;
//
// It is up to the package to do the right thing with the
// buffer (for now).
//
return(scRet);}
//+-------------------------------------------------------------------------
//
// Function: LpcSaveCreds
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcSaveCreds(PSPM_LPC_MESSAGE pApiMessage){ NTSTATUS scRet; SPMSaveCredsAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.SaveCreds;
scRet = SEC_E_UNSUPPORTED_FUNCTION;
pApiMessage->ApiMessage.scRet = scRet;
return(scRet);}
//+-------------------------------------------------------------------------
//
// Function: LpcLsaLookupPackage
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcLsaLookupPackage( PSPM_LPC_MESSAGE pApiMessage ){ PLSAP_AU_API_MESSAGE pLsaMessage = (PLSAP_AU_API_MESSAGE) pApiMessage; UNICODE_STRING sPackageName; ANSI_STRING sAnsiName; PLSAP_SECURITY_PACKAGE pspPackage; NTSTATUS Status;
//
// First, convert ANSI name to UNICODE
//
if ( pLsaMessage->Arguments.LookupPackage.PackageNameLength > LSAP_MAX_PACKAGE_NAME_LENGTH ) { return STATUS_INVALID_PARAMETER ; }
sAnsiName.Length = (USHORT) pLsaMessage->Arguments.LookupPackage.PackageNameLength; sAnsiName.MaximumLength = LSAP_MAX_PACKAGE_NAME_LENGTH+1; sAnsiName.Buffer = pLsaMessage->Arguments.LookupPackage.PackageName;
Status = RtlAnsiStringToUnicodeString(&sPackageName, &sAnsiName, TRUE); if ( !NT_SUCCESS(Status) ) { pLsaMessage->Arguments.LookupPackage.AuthenticationPackage = (ULONG) -1; pLsaMessage->ReturnedStatus = Status; } else { //
// Now, look up the package.
//
pspPackage = SpmpLookupPackage(&sPackageName);
if (pspPackage) { pLsaMessage->Arguments.LookupPackage.AuthenticationPackage = (DWORD) pspPackage->dwPackageID; pLsaMessage->ReturnedStatus = STATUS_SUCCESS; } else { pLsaMessage->Arguments.LookupPackage.AuthenticationPackage = (ULONG) -1; pLsaMessage->ReturnedStatus = STATUS_NO_SUCH_PACKAGE; } RtlFreeUnicodeString(&sPackageName); }
return(S_OK);}
//+-------------------------------------------------------------------------
//
// Function: LpcLsaDeregisterLogonProcess
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcLsaDeregisterLogonProcess( PSPM_LPC_MESSAGE pApiMessage ){ PLSAP_AU_API_MESSAGE pLsaMessage = (PLSAP_AU_API_MESSAGE) pApiMessage;
//
// The client side will close the handle (or not, not a big deal), and
// we will run down the session at that time. Safer that way, as well.
//
pLsaMessage->ReturnedStatus = STATUS_SUCCESS;
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LpcLsaLogonUser
//
// Synopsis: Unmarshalls everything for a call to WLsaLogonUserWhoopee
//
// Arguments: [pApiMessage] --
//
// History: 6-14-94 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcLsaLogonUser( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS Status; LSAP_CLIENT_REQUEST ClientRequest; PLSAP_AU_API_MESSAGE pLsaMessage = (PLSAP_AU_API_MESSAGE) pApiMessage;
ClientRequest.Request = (PLSAP_AU_API_MESSAGE) pApiMessage;
pLsaMessage->ReturnedStatus = LsapAuApiDispatchLogonUser(&ClientRequest);
if ( NT_SUCCESS( pLsaMessage->ReturnedStatus ) ) { if ( ( pLsaMessage->Arguments.LogonUser.LogonType == Interactive ) && ( pLsaMessage->Arguments.LogonUser.ProfileBuffer == NULL ) ) { DsysAssertMsg( pLsaMessage->Arguments.LogonUser.ProfileBuffer, "Successful logon, but profile is NULL. w\n" ); } }
return(STATUS_SUCCESS);
}
//+-------------------------------------------------------------------------
//
// Function: LpcLsaCallPackage
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcLsaCallPackage( PSPM_LPC_MESSAGE pApiMessage ){ LSAP_CLIENT_REQUEST ClientRequest; PLSAP_AU_API_MESSAGE pLsaMessage = (PLSAP_AU_API_MESSAGE) pApiMessage;
ClientRequest.Request = (PLSAP_AU_API_MESSAGE) pApiMessage;
pLsaMessage->ReturnedStatus = LsapAuApiDispatchCallPackage(&ClientRequest);
return(STATUS_SUCCESS);}
//+-------------------------------------------------------------------------
//
// Function: LpcQueryCredAttributes
//
//
//
//--------------------------------------------------------------------------
NTSTATUSLpcQueryCredAttributes( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS hrApiRet; SPMQueryCredAttributesAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.QueryCredAttributes; PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall();
hrApiRet = WLsaQueryCredAttributes( &pArgs->hCredentials, pArgs->ulAttribute, pArgs->pBuffer );
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
if ( CallInfo->Allocs ) { ULONG i ;
pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ALLOCS ;
pArgs->Allocs = CallInfo->Allocs ;
for ( i = 0 ; i < CallInfo->Allocs ; i++ ) { pArgs->Buffers[i] = CallInfo->Buffers[i] ; } }
pApiMessage->ApiMessage.scRet = hrApiRet;
if (FAILED(hrApiRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LpcAddPackage
//
// Algorithm:
//
// History: 3-05-97 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
SECURITY_STATUSLpcAddPackage( PSPM_LPC_MESSAGE pApiMessage ){ SPMAddPackageAPI * pArgs; SECURITY_STRING PackageName; SECURITY_STATUS scRet ; PUCHAR Where = NULL; SECURITY_PACKAGE_OPTIONS Options;
pArgs = LPC_MESSAGE_ARGSP( pApiMessage, AddPackage );
scRet = GetClientString(&pArgs->Package, &PackageName, pApiMessage, &Where);
if (FAILED(scRet)) { pApiMessage->ApiMessage.scRet = scRet;
return(scRet); }
DebugLog((DEB_TRACE_VERB,"Add Package called for %ws\n", PackageName.Buffer ));
Options.Flags = pArgs->OptionsFlags ; Options.Size = sizeof( SECURITY_PACKAGE_OPTIONS );
scRet = WLsaAddPackage( &PackageName, &Options );
LsapFreePrivateHeap( PackageName.Buffer );
pApiMessage->ApiMessage.scRet = scRet;
return( scRet );
}
//+---------------------------------------------------------------------------
//
// Function: LpcDeletePackage
//
// History: 3-05-97 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
SECURITY_STATUSLpcDeletePackage( PSPM_LPC_MESSAGE pApiMessage){ pApiMessage->ApiMessage.scRet = SEC_E_UNSUPPORTED_FUNCTION ;
return( SEC_E_OK );}
//+---------------------------------------------------------------------------
//
// Function: LpcQueryContextAttributes
//
// History: 3-05-97 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcQueryContextAttributes( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS hrApiRet; SPMQueryContextAttrAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.QueryContextAttr; PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall();
hrApiRet = WLsaQueryContextAttributes( &pArgs->hContext, pArgs->ulAttribute, pArgs->pBuffer );
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = hrApiRet;
if ( CallInfo->Allocs ) { ULONG i ;
pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ALLOCS ;
pArgs->Allocs = CallInfo->Allocs ;
for ( i = 0 ; i < CallInfo->Allocs ; i++ ) { pArgs->Buffers[i] = CallInfo->Buffers[i] ; } }
if (FAILED(hrApiRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LpcSetContextAttributes
//
// History: 4-20-00 CliffV Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcSetContextAttributes( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS hrApiRet; SPMSetContextAttrAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.SetContextAttr; PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall();
hrApiRet = WLsaSetContextAttributes( &pArgs->hContext, pArgs->ulAttribute, pArgs->pBuffer, pArgs->cbBuffer );
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = hrApiRet;
if (FAILED(hrApiRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
#ifdef ProfilingEfs
//
// This is for test only. We don't check error vigorously.
//
VOIDOutputEfsProfilingLog( WCHAR *UserName, ULONG AuthIdLow, WCHAR *EfsOp, LARGE_INTEGER *StartTime, LARGE_INTEGER *ProfileStartTime, LARGE_INTEGER *ProfileEndtime, LARGE_INTEGER *UnLoadStartTime, LARGE_INTEGER *UnLoadEndTime, LARGE_INTEGER *EndTime ){
SYSTEMTIME SysTime; WCHAR OutBuffer[160]; WCHAR LogFileName[16]; DWORD BytesWriiten;
GetLocalTime(&SysTime); wsprintf(LogFileName, L"%d.%d.%d", SysTime.wYear, SysTime.wMonth, SysTime.wDay); if (wcscmp(LogFileName, EfsProfileLogName)) {
LONG IsFileBeingCreated;
IsFileBeingCreated = InterlockedExchange(&LogFileIsBeingCreated, 1);
if (IsFileBeingCreated != 1) {
if (EfsProfileLogHandle) { CloseHandle(EfsProfileLogHandle); EfsProfileLogHandle = 0; } wcscpy(EfsProfileLogName, LogFileName); wcscpy(OutBuffer, L"d:\\efs\\"); wcscat(OutBuffer, LogFileName); EfsProfileLogHandle = CreateFile( OutBuffer, GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL );
InterlockedExchange(&LogFileIsBeingCreated, IsFileBeingCreated);
} else { Sleep(5000); //Wait for 5 seconds
}
}
wsprintf(OutBuffer, L"%d.%d.%d:%d.%d.%d\t%ws\t%lu\t%ld\t%ws\t%lu\t%lu\t%lu\t%lu\r\n", SysTime.wYear, SysTime.wMonth, SysTime.wDay, SysTime.wHour, SysTime.wMinute, SysTime.wSecond, UserName, AuthIdLow, UserCacheListCount, EfsOp, (ULONG)((EndTime->QuadPart - StartTime->QuadPart)/1000), (ULONG)((ProfileEndtime->QuadPart - ProfileStartTime->QuadPart)/1000), (ULONG)((UnLoadEndTime->QuadPart - UnLoadStartTime->QuadPart)/1000), (ULONG)((UnLoadStartTime->QuadPart - ProfileEndtime->QuadPart)/1000) ); WriteFile( EfsProfileLogHandle, OutBuffer, wcslen(OutBuffer)*sizeof(WCHAR), &BytesWriiten, NULL ); DbgPrint("%ws%", OutBuffer);}#endif
//+---------------------------------------------------------------------------
//
// Function: LpcCallback
//
// Synopsis: Callback handler. Should never be hit.
//
// Arguments: [pApiMessage] --
//
// History: 3-05-97 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcCallback( PSPM_LPC_MESSAGE pApiMessage ){ pApiMessage->ApiMessage.scRet = SEC_E_UNSUPPORTED_FUNCTION ; pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ; return S_OK ;}
NTSTATUSWLsaGenerateKey( PEFS_DATA_STREAM_HEADER DirectoryEfsStream, PEFS_DATA_STREAM_HEADER * EfsStream, PULONG EfsLength, PEFS_KEY * Fek ){ NTSTATUS Status; DWORD HResult;
PEFS_DATA_STREAM_HEADER EfsStreamHeader;
#ifdef ProfilingEfs
LARGE_INTEGER StartTotal;LARGE_INTEGER StartProfile;LARGE_INTEGER EndProfile;LARGE_INTEGER EndTotal;LARGE_INTEGER StartUnload;LARGE_INTEGER EndUnload;WCHAR UserName[32];ULONG AuthIDLow=0;
NtQuerySystemTime(&StartTotal);#endif
//
// Impersonate the client
//
Status = LsapImpersonateClient( );
if (!NT_SUCCESS(Status)) { return( Status ); }
EFS_USER_INFO EfsUserInfo;
if (EfspGetUserInfo( &EfsUserInfo )) {
#ifdef ProfilingEfs
wcscpy(UserName, EfsUserInfo.lpUserName);AuthIDLow = EfsUserInfo.AuthId.LowPart;NtQuerySystemTime(&StartProfile);#endif
BOOL b = EfspLoadUserProfile( &EfsUserInfo, FALSE );
#ifdef ProfilingEfs
NtQuerySystemTime(&EndProfile);#endif
if (!b) {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; }
} else {
//
// Generate the Fek. This routine will fill in the
// EFS_KEY structure with key data.
//
if (GenerateFEK( Fek )) {
if (!ConstructEFS( &EfsUserInfo, *Fek, DirectoryEfsStream, &EfsStreamHeader )) {
HResult = GetLastError();
ASSERT( HResult != ERROR_SUCCESS );
DebugLog((DEB_ERROR, "ConstructEFS failed, error = (%x)\n" ,HResult ));
LsapFreeLsaHeap( *Fek ); *Fek = NULL;
if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; }
} else {
*EfsStream = EfsStreamHeader; *EfsLength = EfsStreamHeader->Length; }
} else {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; } }
#ifdef ProfilingEfs
NtQuerySystemTime(&StartUnload);#endif
EfspUnloadUserProfile( &EfsUserInfo );
#ifdef ProfilingEfs
NtQuerySystemTime(&EndUnload);#endif
}
EfspFreeUserInfo( &EfsUserInfo );
} else {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; }
}
RevertToSelf();
#ifdef ProfilingEfs
NtQuerySystemTime(&EndTotal);
OutputEfsProfilingLog( UserName, AuthIDLow, L"Create", &StartTotal, &StartProfile, &EndProfile, &StartUnload, &EndUnload, &EndTotal );#endif
return Status;}
NTSTATUSWLsaGenerateDirEfs( PEFS_DATA_STREAM_HEADER DirectoryEfsStream, PEFS_DATA_STREAM_HEADER * EfsStream ){ NTSTATUS Status; DWORD HResult;
PEFS_KEY Fek = NULL;
Status = LsapImpersonateClient( );
if (!NT_SUCCESS(Status)) { return( Status ); }
EFS_USER_INFO EfsUserInfo;
if (EfspGetUserInfo( &EfsUserInfo )) {
if (!EfspLoadUserProfile( &EfsUserInfo, FALSE )) {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; }
} else {
if (GenerateFEK( &Fek )) {
if (!ConstructDirectoryEFS( &EfsUserInfo, Fek, EfsStream )) {
HResult = GetLastError(); ASSERT( HResult != ERROR_SUCCESS ); DebugLog((DEB_ERROR, "ConstructDirectoryEFS failed, error = (%x)\n" ,HResult )); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; } }
LsapFreeLsaHeap( Fek );
} else {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; } }
EfspUnloadUserProfile( &EfsUserInfo ); }
EfspFreeUserInfo( &EfsUserInfo );
} else {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; } }
RevertToSelf();
return Status;}
�NTSTATUSLpcEfsGenerateKey( PSPM_LPC_MESSAGE pApiMessage)
/*++
Routine Description:
This routine generates an FEK and an EFS stream for the file being encrypted.
Arguments:
pApiMessage - Supplies the LPC message from the driver.
Return Value:
return-value - Description of conditions needed to return value. - or - None.
--*/
{ NTSTATUS scRet; SPMEfsGenerateKeyAPI * Args = &pApiMessage->ApiMessage.Args.SpmArguments.API.EfsGenerateKey ; ULONG EfsLength = 0; PEFS_KEY Fek = NULL; PEFS_DATA_STREAM_HEADER EfsStream; SIZE_T BufferLength;
DebugLog((DEB_TRACE_EFS,"LpcEfsGenerateKey, Args is at %x\n",Args));
if ((pApiMessage->pmMessage.u2.s2.Type & LPC_KERNELMODE_MESSAGE) == 0){ DebugLog((DEB_ERROR,"Caller is not from kernelmode \n")); pApiMessage->ApiMessage.scRet = STATUS_ACCESS_DENIED ; return STATUS_ACCESS_DENIED; }
if (EfsPersonalVer || EfsDisabled) { pApiMessage->ApiMessage.scRet = STATUS_NOT_SUPPORTED; return STATUS_NOT_SUPPORTED; }
scRet = WLsaGenerateKey( (PEFS_DATA_STREAM_HEADER)Args->DirectoryEfsStream, &EfsStream, &EfsLength, &Fek );
if (NT_SUCCESS( scRet )) {
//
// Copy the FEK to the client's address space
//
PVOID Target = NULL;
BufferLength = EFS_KEY_SIZE( Fek ) + EfsLength;
#ifdef LSAP_CATCH_BAD_VM
if ( BufferLength > 0x2000000 ) { DbgPrint("Allocation too large\n" ); DbgBreakPoint(); }#endif
scRet = NtAllocateVirtualMemory( GetCurrentProcess(), &Target, 0, &BufferLength, MEM_COMMIT, PAGE_READWRITE );
Args->BufferLength = (ULONG) BufferLength; if (NT_SUCCESS( scRet )) {
//
// Save away the base of the allocation so that the driver may free it
// when it's finished with it.
//
Args->BufferBase = Target; Args->Fek = Target;
RtlCopyMemory( Target, (PVOID)Fek, EFS_KEY_SIZE( Fek ) );
Target = (PVOID)((ULONG_PTR)Target + EFS_KEY_SIZE( Fek )); Args->EfsStream = Target;
RtlCopyMemory( Target, (PVOID)EfsStream, EfsLength );
} else {
Args->BufferBase = NULL; Args->BufferLength = 0; Args->Fek = NULL; Args->EfsStream = NULL;
}
if ( Fek ){ RtlSecureZeroMemory(EFS_KEY_DATA(Fek), Fek->KeyLength ); LsapFreeLsaHeap( Fek ); }
if ( EfsStream ){ LsapFreeLsaHeap( EfsStream ); } }
pApiMessage->ApiMessage.scRet = scRet; return( scRet );}
NTSTATUSLpcEfsGenerateDirEfs( PSPM_LPC_MESSAGE pApiMessage )/*++
Routine Description:
Lpc stub for GenerateDirEfs
Arguments:
pApiMessage - LPC Message
Return Value:
NtStatus
--*/{ SPMEfsGenerateDirEfsAPI * Args = &pApiMessage->ApiMessage.Args.SpmArguments.API.EfsGenerateDirEfs ; PEFS_DATA_STREAM_HEADER EfsStream; NTSTATUS scRet; ULONG EfsLength = 0;
if ((pApiMessage->pmMessage.u2.s2.Type & LPC_KERNELMODE_MESSAGE) == 0){ DebugLog((DEB_ERROR,"Caller is not from kernelmode \n")); pApiMessage->ApiMessage.scRet = STATUS_ACCESS_DENIED ; return STATUS_ACCESS_DENIED; }
if (EfsPersonalVer || EfsDisabled) { pApiMessage->ApiMessage.scRet = STATUS_NOT_SUPPORTED; return STATUS_NOT_SUPPORTED; }
scRet = WLsaGenerateDirEfs( (PEFS_DATA_STREAM_HEADER)Args->DirectoryEfsStream, &EfsStream );
if (NT_SUCCESS( scRet )) {
PVOID Target = NULL;
SIZE_T EfsLength = EfsStream->Length;
#ifdef LSAP_CATCH_BAD_VM
if ( EfsLength > 0x2000000 ) { DbgPrint("Allocation too large\n" ); DbgBreakPoint(); }#endif
scRet = NtAllocateVirtualMemory( GetCurrentProcess(), &Target, 0, &EfsLength, MEM_COMMIT, PAGE_READWRITE );
if (NT_SUCCESS( scRet )) {
Args->BufferBase = Target; Args->BufferLength = EfsStream->Length; Args->EfsStream = Target;
RtlCopyMemory( Target, (PVOID)EfsStream, EfsStream->Length );
} else {
Args->BufferBase = NULL; Args->BufferLength = 0; Args->EfsStream = NULL; }
if (EfsStream){ LsapFreeLsaHeap( EfsStream ); } }
pApiMessage->ApiMessage.scRet = scRet; return( scRet );}
NTSTATUSWLsaDecryptFek( PEFS_DATA_STREAM_HEADER EfsStream, PEFS_KEY * Fek, PEFS_DATA_STREAM_HEADER * NewEfs, ULONG OpenType )
/*++
Routine Description:
Worker function for DecryptFek
Arguments:
EfsStream - The $EFS attribute for the file being decrypted.
Fek - Returns the FEK for the file being decrypted. This structure is allocated out of heap and must be freed by the caller.
NewEfs - Optionally returns a new $EFS stream to be applied to the file.
OpenType - Whether this is a decrypt or recovery operation.
Return Value:
NtStatus
--*/
{ NTSTATUS Status; DWORD HResult; DWORD rc;
HANDLE hToken = NULL; HANDLE hProfile = NULL;
#ifdef ProfilingEfs
LARGE_INTEGER StartTotal;LARGE_INTEGER StartProfile;LARGE_INTEGER EndProfile;LARGE_INTEGER EndTotal;LARGE_INTEGER StartUnload;LARGE_INTEGER EndUnload;WCHAR UserName[32];ULONG AuthIDLow=0;
NtQuerySystemTime(&StartTotal);#endif
Status = LsapImpersonateClient( );
if (!NT_SUCCESS(Status)) { return( Status ); }
EFS_USER_INFO EfsUserInfo;
if (EfspGetUserInfo( &EfsUserInfo ) ) {
#ifdef ProfilingEfs
wcscpy(UserName, EfsUserInfo.lpUserName);AuthIDLow = EfsUserInfo.AuthId.LowPart;NtQuerySystemTime(&StartProfile);#endif
if (EfspLoadUserProfile( &EfsUserInfo, FALSE )) {
#ifdef ProfilingEfs
NtQuerySystemTime(&EndProfile);#endif
HResult = DecryptFek( &EfsUserInfo, EfsStream, Fek, NewEfs, OpenType );
if (HResult != ERROR_SUCCESS) { DebugLog((DEB_ERROR, "WLsaDecryptFek: DecryptFek failed, error = %x\n" ,HResult )); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; } }
#ifdef ProfilingEfs
NtQuerySystemTime(&StartUnload);#endif
EfspUnloadUserProfile( &EfsUserInfo );
#ifdef ProfilingEfs
NtQuerySystemTime(&EndUnload);#endif
} else {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; } }
EfspFreeUserInfo( &EfsUserInfo );
} else {
HResult = GetLastError(); if (!EfsErrorToNtStatus(HResult, &Status)) { Status = STATUS_UNSUCCESSFUL; } }
RevertToSelf();
#ifdef ProfilingEfs
NtQuerySystemTime(&EndTotal);OutputEfsProfilingLog( UserName, AuthIDLow, L"Open", &StartTotal, &StartProfile, &EndProfile, &StartUnload, &EndUnload, &EndTotal );#endif
return Status;}
NTSTATUSLpcEfsDecryptFek( PSPM_LPC_MESSAGE pApiMessage){ SPMEfsDecryptFekAPI * Args = &pApiMessage->ApiMessage.Args.SpmArguments.API.EfsDecryptFek ; PEFS_DATA_STREAM_HEADER NewEfs; NTSTATUS Status; ULONG EfsLength = 0; PEFS_KEY Fek; SIZE_T BufferLength;
Args->BufferBase = NULL; Args->BufferLength = 0; Args->Fek = NULL; Args->NewEfs = NULL;
if ((pApiMessage->pmMessage.u2.s2.Type & LPC_KERNELMODE_MESSAGE) == 0){ DebugLog((DEB_ERROR,"Caller is not from kernelmode \n")); pApiMessage->ApiMessage.scRet = STATUS_ACCESS_DENIED ; return STATUS_ACCESS_DENIED; }
if (EfsPersonalVer || EfsDisabled) { pApiMessage->ApiMessage.scRet = STATUS_NOT_SUPPORTED; return STATUS_NOT_SUPPORTED; }
Status = WLsaDecryptFek( (PEFS_DATA_STREAM_HEADER)Args->EfsStream, &Fek, &NewEfs, Args->OpenType );
if (NT_SUCCESS( Status )) {
BufferLength = EFS_KEY_SIZE( Fek );
if (NewEfs != NULL) { BufferLength += NewEfs->Length; }
PVOID Target = NULL;
#ifdef LSAP_CATCH_BAD_VM
if ( BufferLength > 0x2000000 ) { DbgPrint("Allocation too large\n" ); DbgBreakPoint(); }#endif
Status = NtAllocateVirtualMemory( GetCurrentProcess(), &Target, 0, &BufferLength, MEM_COMMIT, PAGE_READWRITE );
Args->BufferLength = (ULONG) BufferLength; if (NT_SUCCESS( Status )) {
Args->BufferBase = Target; Args->Fek = Target;
RtlCopyMemory( Target, (PVOID)Fek, EFS_KEY_SIZE( Fek ) );
if (NewEfs != NULL) {
Target = (PVOID)((DWORD_PTR)Target + EFS_KEY_SIZE( Fek )); Args->NewEfs = Target;
RtlCopyMemory( Target, (PVOID)NewEfs, NewEfs->Length );
}
} else {
Args->BufferBase = NULL; Args->BufferLength = 0; Args->Fek = NULL;
}
if ( Fek){ RtlSecureZeroMemory(EFS_KEY_DATA(Fek), Fek->KeyLength ); LsapFreeLsaHeap( Fek ); }
if ( NewEfs ){ LsapFreeLsaHeap( NewEfs ); } }
pApiMessage->ApiMessage.scRet = Status;
return( Status );}
NTSTATUSLpcEfsGenerateSessionKey( PSPM_LPC_MESSAGE pApiMessage ){ SPMEfsGenerateSessionKeyAPI * Args = &pApiMessage->ApiMessage.Args.SpmArguments.API.EfsGenerateSessionKey ; NTSTATUS scRet;
EFS_INIT_DATAEXG InitDataExg;
if ((pApiMessage->pmMessage.u2.s2.Type & LPC_KERNELMODE_MESSAGE) == 0){ DebugLog((DEB_ERROR,"Caller is not from kernelmode \n")); pApiMessage->ApiMessage.scRet = STATUS_ACCESS_DENIED ; return STATUS_ACCESS_DENIED; }
if ( EfsSessionKeySent ){ pApiMessage->ApiMessage.scRet = STATUS_ACCESS_DENIED ; return STATUS_ACCESS_DENIED; }
scRet = GenerateDriverSessionKey( &InitDataExg );
if (NT_SUCCESS( scRet )) {
//
// Copy the returned session key into the argument buffer
//
RtlCopyMemory( &Args->InitDataExg, &InitDataExg, sizeof( EFS_INIT_DATAEXG ));
pApiMessage->pmMessage.u1.s1.DataLength = LPC_DATA_LENGTH( sizeof( EFS_INIT_DATAEXG ) ); pApiMessage->pmMessage.u1.s1.TotalLength = LPC_TOTAL_LENGTH( sizeof( EFS_INIT_DATAEXG ) );
EfsSessionKeySent = TRUE; }
//
// Wipe out the session key
//
RtlSecureZeroMemory((PVOID)&InitDataExg, sizeof( EFS_INIT_DATAEXG )); pApiMessage->ApiMessage.scRet = scRet;
return( scRet );}
NTSTATUSLpcGetUserName( PSPM_LPC_MESSAGE pApiMessage ){
LUID LogonId ; PLSAP_LOGON_SESSION LogonSession ; NTSTATUS Status ; SECPKG_CLIENT_INFO ClientInfo ; SPMGetUserNameXAPI * Args = &pApiMessage->ApiMessage.Args.SpmArguments.API.GetUserNameX ; PLSAP_DS_NAME_MAP Map ; PLSAP_DS_NAME_MAP SamMap = NULL ; UNICODE_STRING String ; PWSTR Scan ; PWSTR DnsDomainName = NULL;
Status = LsapGetClientInfo( &ClientInfo );
if ( NT_SUCCESS( Status ) ) { LogonSession = LsapLocateLogonSession( &ClientInfo.LogonId );
if ( LogonSession ) { if ( RtlEqualLuid( &ClientInfo.LogonId, &LsapSystemLogonId ) && (Args->Options & SPM_NAME_OPTION_NT4_ONLY) ) { Map = LsapGetNameForLocalSystem();
Status = STATUS_SUCCESS ;
} else { Status = LsapGetNameForLogonSession( LogonSession, Args->Options, &Map, FALSE );
if (NT_SUCCESS(Status) && (Args->Options & (~SPM_NAME_OPTION_MASK)) == NameDnsDomain) { //
// To cruft up the NameDnsDomain format, we need
// the SAM username.
//
Status = LsapGetNameForLogonSession( LogonSession, NameSamCompatible, &SamMap, FALSE);
if (!NT_SUCCESS(Status)) { LsapDerefDsNameMap(Map); } } }
LsapReleaseLogonSession( LogonSession );
if ( NT_SUCCESS( Status ) ) { //
// See what we can do.
//
if ( (Args->Options & SPM_NAME_OPTION_NT4_ONLY) == 0) { if ((Args->Options & (~SPM_NAME_OPTION_MASK )) != NameDnsDomain) { String = Map->Name ; } else { //
// Build up the DnsDomainName format
//
Scan = wcschr( SamMap->Name.Buffer, L'\\' );
if ( Scan ) { Scan++; } else { Scan = SamMap->Name.Buffer; }
//
// SAM name is always NULL-terminated
//
SafeAllocaAllocate(DnsDomainName, Map->Name.Length + (wcslen(Scan) + 2) * sizeof(WCHAR));
if (DnsDomainName != NULL) { ULONG Index = Map->Name.Length / sizeof(WCHAR);
wcsncpy(DnsDomainName, Map->Name.Buffer, Index); DnsDomainName[Index++] = L'\\'; wcscpy(DnsDomainName + Index, Scan);
RtlInitUnicodeString(&String, DnsDomainName); } else { String.Length = String.MaximumLength = 0; String.Buffer = NULL;
Status = STATUS_NO_MEMORY; }
LsapDerefDsNameMap(SamMap); } } else { Scan = wcschr( Map->Name.Buffer, L'\\' );
if ( Scan ) { Scan++; RtlInitUnicodeString( &String, Scan ); } else { String = Map->Name ; } }
if (NT_SUCCESS(Status)) { if ( String.Length <= Args->Name.MaximumLength ) { Args->Name.Length = String.Length ;
if ( String.Length < CBPREPACK ) { Args->Name.Buffer = (PWSTR) ((LONG_PTR) pApiMessage->ApiMessage.bData - (LONG_PTR) Args);
RtlCopyMemory( pApiMessage->ApiMessage.bData, String.Buffer, String.Length );
pApiMessage->pmMessage.u1.s1.DataLength = LPC_DATA_LENGTH( String.Length ); pApiMessage->pmMessage.u1.s1.TotalLength = LPC_TOTAL_LENGTH( String.Length ); } else { Status = LsapCopyToClient( String.Buffer, Args->Name.Buffer, String.Length ); } } else { Args->Name.Length = String.Length ; Args->Name.Buffer = NULL ; Status = STATUS_BUFFER_OVERFLOW ; } }
LsapDerefDsNameMap( Map ); } else { if ( Status == STATUS_UNSUCCESSFUL ) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_WIN32_ERROR ; Status = GetLastError(); } } } else { DebugLog(( DEB_ERROR, "No logon session found for impersonated client!\n" )); Status = STATUS_NO_SUCH_LOGON_SESSION ; } }
SafeAllocaFree(DnsDomainName);
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = Status ;
return STATUS_SUCCESS ;}
NTSTATUSLpcAddCredentials( PSPM_LPC_MESSAGE pApiMessage ){ UNICODE_STRING ssPrincipalName; UNICODE_STRING ssPackageName; NTSTATUS scApiRet; NTSTATUS scRet; SPMAddCredentialAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.AddCredential; PUCHAR Where = NULL;
DebugLog((DEB_TRACE, "[%x] LpcAddCredentials()\n", GetCurrentSession()->dwProcessID));
ssPrincipalName.Buffer = NULL; ssPackageName.Buffer = NULL;
if (pArgs->ssPrincipal.Buffer ) { scRet = GetClientString(&pArgs->ssPrincipal, &ssPrincipalName, pApiMessage, &Where); if (FAILED(scRet)) { DebugLog((DEB_ERROR, "GetClientString failed to get principal name 0x%08x\n", scRet)); pApiMessage->ApiMessage.scRet = scRet; return(scRet); }
} else { ssPrincipalName.MaximumLength = 0; ssPrincipalName.Length = 0; ssPrincipalName.Buffer = NULL; }
scRet = GetClientString(&pArgs->ssSecPackage, &ssPackageName, pApiMessage, &Where);
if (FAILED(scRet)) { LsapFreePrivateHeap(ssPrincipalName.Buffer); DebugLog((DEB_ERROR, "GetClientString failed to get package name 0x%08x\n", scRet)); pApiMessage->ApiMessage.scRet = scRet; return(scRet); }
scApiRet = WLsaAddCredentials( &pArgs->hCredentials, &ssPrincipalName, &ssPackageName, pArgs->fCredentialUse, (PVOID) pArgs->pvAuthData, (PVOID) pArgs->pvGetKeyFn, (PVOID) pArgs->ulGetKeyArgument, &pArgs->tsExpiry );
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
LsapFreePrivateHeap(ssPackageName.Buffer);
LsapFreePrivateHeap(ssPrincipalName.Buffer);
pApiMessage->ApiMessage.scRet = scApiRet; if (FAILED(pApiMessage->ApiMessage.scRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; } return(S_OK);
}
NTSTATUSLpcEnumLogonSessions( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scApiRet; NTSTATUS scRet; SPMEnumLogonSessionAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.EnumLogonSession ;
DebugLog((DEB_TRACE, "[%x] LpcEnumLogonSessions()\n", GetCurrentSession()->dwProcessID));
scApiRet = WLsaEnumerateLogonSession( &pArgs->LogonSessionCount, (PLUID *) &pArgs->LogonSessionList );
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ; pApiMessage->ApiMessage.scRet = scApiRet;
if (FAILED(pApiMessage->ApiMessage.scRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
NTSTATUSLpcGetLogonSessionData( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scApiRet; NTSTATUS scRet; SPMGetLogonSessionDataAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.GetLogonSessionData ;
DebugLog((DEB_TRACE, "[%x] LpcGetLogonSessionData()\n", GetCurrentSession()->dwProcessID));
scApiRet = WLsaGetLogonSessionData( &pArgs->LogonId, &pArgs->LogonSessionInfo );
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = scApiRet;
if (FAILED(pApiMessage->ApiMessage.scRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; } return(S_OK);
}
NTSTATUSLpcLookupAccountName( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scApiRet; NTSTATUS scRet; SPMLookupAccountNameXAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.LookupAccountNameX ; UNICODE_STRING Name ; PUCHAR Where = NULL ; LSAPR_TRANSLATED_SIDS_EX2 Sids ; PLSAPR_REFERENCED_DOMAIN_LIST DomList ; LSAPR_UNICODE_STRING String ; ULONG MappedCount ; ULONG Available ; ULONG Size ;
DebugLog((DEB_TRACE, "[%x] LpcLookupAccountName()\n", GetCurrentSession()->dwProcessID));
scApiRet = GetClientString( &pArgs->Name, &Name, pApiMessage, &Where );
if ( NT_SUCCESS( scApiRet ) ) { MappedCount = 0 ;
String.Length = Name.Length ; String.MaximumLength = Name.MaximumLength ; String.Buffer = Name.Buffer ;
scApiRet = LsarLookupNames3( LsapPolicyHandle, 1, &String, &DomList, &Sids, LsapLookupWksta, &MappedCount, 0, LSA_CLIENT_LATEST );
if ( NT_SUCCESS( scApiRet ) ) {
Where = pApiMessage->ApiMessage.bData ; pArgs->NameUse = Sids.Sids[0].Use ;
Size = RtlLengthSid( (PSID) Sids.Sids[0].Sid );
pArgs->Sid = (PVOID) (Where - (PUCHAR) pApiMessage) ; RtlCopyMemory( Where, Sids.Sids[0].Sid, Size );
Available = CBPREPACK - Size ; Where += Size ;
Size = DomList->Domains[0].Name.Length ; if ( Available >= Size ) { RtlCopyMemory( Where, DomList->Domains[0].Name.Buffer, Size );
pArgs->Domain.Buffer = (PWSTR) (Where - (PUCHAR) pApiMessage ) ; pArgs->Domain.Length = (USHORT) Size ; pArgs->Domain.MaximumLength = (USHORT) Size ;
} else { pArgs->Domain.Buffer = NULL ; pArgs->Domain.Length = 0 ; pArgs->Domain.MaximumLength = 0 ; }
MIDL_user_free( DomList ); MIDL_user_free( Sids.Sids ); } }
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->ApiMessage.scRet = scApiRet;
if (FAILED(pApiMessage->ApiMessage.scRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
NTSTATUSLpcLookupAccountSid( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scApiRet = STATUS_SUCCESS ; NTSTATUS scRet; SPMLookupAccountSidXAPI * pArgs = &pApiMessage->ApiMessage.Args.SpmArguments.API.LookupAccountSidX ; PUCHAR Where = NULL ; PLSAPR_REFERENCED_DOMAIN_LIST DomList ; LSAPR_SID_ENUM_BUFFER SidBuffer ; LSAPR_SID_INFORMATION SidInfo ; LSAPR_TRANSLATED_NAMES_EX Names ; ULONG MappedCount ; SIZE_T Available ; ULONG Size ; PSID Sid = NULL ; PLSA_CALL_INFO CallInfo ; ULONG Consumed = 0 ;
CallInfo = LsapGetCurrentCall();
DebugLog((DEB_TRACE, "[%x] LpcLookupAccountSid()\n", GetCurrentSession()->dwProcessID));
Where = (ULONG_PTR) pArgs->Sid + (PUCHAR) pApiMessage ; Available = sizeof( SPM_LPC_MESSAGE ) - (ULONG_PTR) pArgs->Sid ;
//
// Verify that the passed SID is at least large enough for the SID header
//
if ( Available < sizeof( SID ) ) { scApiRet = STATUS_INVALID_PARAMETER ; }
if ( NT_SUCCESS( scApiRet ) ) { Sid = (PSID) ( Where );
if ( !RtlValidSid( Sid )) { scApiRet = STATUS_INVALID_PARAMETER; } }
if ( NT_SUCCESS( scApiRet ) ) { Size = RtlLengthSid( Sid );
if ( Size > Available ) { scApiRet = STATUS_INVALID_PARAMETER ; } }
if ( NT_SUCCESS( scApiRet ) ) { PSID DomainSid = NULL; MappedCount = 0 ;
SidInfo.Sid = (PLSAPR_SID) Sid ; SidBuffer.Entries = 1 ; SidBuffer.SidInfo = &SidInfo ;
scApiRet = LsarLookupSids2( LsapPolicyHandle, &SidBuffer, &DomList, &Names, LsapLookupWksta, &MappedCount, 0, LSA_CLIENT_LATEST );
if ( NT_SUCCESS( scApiRet ) && ( MappedCount == 1 ) ) { pArgs->Domain.Buffer = NULL ; pArgs->Domain.Length = 0 ; pArgs->Domain.MaximumLength = 0 ;
if ( CallInfo->KMap ) { CallInfo->Flags |= CALL_FLAG_KMAP_USED ; }
Where = pApiMessage->ApiMessage.bData ;
pArgs->NameUse = Names.Names[0].Use ;
Size = Names.Names[0].Name.Length ;
Available = CBPREPACK ;
if ( Available >= Size ) { pArgs->Name.Buffer = (PWSTR) (Where - (PUCHAR) pApiMessage ); pArgs->Name.Length = (USHORT) Size ; pArgs->Name.MaximumLength = pArgs->Name.Length ;
RtlCopyMemory( Where, Names.Names[0].Name.Buffer, Size );
Available = Available - Size ; Where += Size ; Consumed += Size ; } else { pArgs->Name.Buffer = (PWSTR) LsapClientAllocate( Size + sizeof( WCHAR ) );
if ( pArgs->Name.Buffer ) { scApiRet = LsapCopyToClient( Names.Names[0].Name.Buffer, pArgs->Name.Buffer, Size );
pArgs->Name.Length = (USHORT) Size ; pArgs->Name.MaximumLength = (USHORT) Size ; } }
Size = DomList->Domains[0].Name.Length ; if ( Available >= Size ) { RtlCopyMemory( Where, DomList->Domains[0].Name.Buffer, Size );
pArgs->Domain.Buffer = (PWSTR) (Where - (PUCHAR) pApiMessage ); pArgs->Domain.Length = (USHORT) Size ; pArgs->Domain.MaximumLength = (USHORT) Size ;
Consumed += Size ; } else { //
// Attempt to allocate in the client space:
//
pArgs->Domain.Buffer = (PWSTR) LsapClientAllocate( Size + sizeof( WCHAR ) );
if ( pArgs->Domain.Buffer ) { scApiRet = LsapCopyToClient( DomList->Domains[0].Name.Buffer, pArgs->Domain.Buffer, Size );
pArgs->Domain.Length = (USHORT) Size ; pArgs->Domain.MaximumLength = (USHORT) Size ; } }
if ( pArgs->Name.Buffer == NULL || pArgs->Domain.Buffer == NULL ) { scApiRet = STATUS_NO_MEMORY; }
MIDL_user_free( DomList ); MIDL_user_free( Names.Names ); }
SafeAllocaFree( DomainSid ); }
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ; pApiMessage->pmMessage.u1.s1.DataLength = LPC_DATA_LENGTH( Consumed ); pApiMessage->pmMessage.u1.s1.TotalLength = LPC_TOTAL_LENGTH( Consumed ); pApiMessage->ApiMessage.scRet = scApiRet;
if (FAILED(pApiMessage->ApiMessage.scRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
NTSTATUSLpcLookupWellKnownSid( PSPM_LPC_MESSAGE pApiMessage ){ NTSTATUS scApiRet = STATUS_SUCCESS ; DECLARE_ARGSP( pArgs, pApiMessage, LookupWellKnownSid ); PUCHAR Where = NULL ; PSID Sid = NULL ; ULONG Consumed = 0 ; UCHAR AccountDomain[ SECURITY_MAX_SID_SIZE ];
DebugLog((DEB_TRACE, "[%x] LpcLookupWellKnownSid()\n", GetCurrentSession()->dwProcessID));
Consumed = CBPREPACK ; Where = pApiMessage->ApiMessage.bData ; pArgs->Sid = (PVOID) (Where - (PUCHAR) pApiMessage );
Sid = (PSID) AccountDomain ; RtlCopyMemory( Sid, LsapAccountDomainMemberSid, RtlLengthSid( LsapAccountDomainMemberSid ) );
//
// The global LsapAccountDomainMemberSid is always of the form S-1-5-15-x-y-z-0
// the 'if' statement below should always evaluate to true, and proceed
// to whack off the trailing zero
//
if ( *RtlSubAuthoritySid(Sid, *RtlSubAuthorityCountSid(Sid) - 1) == 0 ) { *RtlSubAuthorityCountSid( Sid ) = *RtlSubAuthorityCountSid( Sid ) - 1 ; }
if ( Consumed > SECURITY_MAX_SID_SIZE ) { Consumed = SECURITY_MAX_SID_SIZE; }
if ( CreateWellKnownSid( pArgs->SidType, Sid, (PSID) Where, &Consumed ) ) { scApiRet = STATUS_SUCCESS ; } else { Consumed = 0 ; scApiRet = STATUS_INVALID_PARAMETER ; }
//
// Reset the reply flags:
//
pApiMessage->ApiMessage.Args.SpmArguments.fAPI &= KLPC_FLAG_RESET ;
pApiMessage->pmMessage.u1.s1.DataLength = LPC_DATA_LENGTH( Consumed ); pApiMessage->pmMessage.u1.s1.TotalLength = LPC_TOTAL_LENGTH( Consumed );
pApiMessage->ApiMessage.scRet = scApiRet;
if (FAILED(pApiMessage->ApiMessage.scRet)) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; }
return(S_OK);}
//+---------------------------------------------------------------------------
//
// Function: LsapClientCallback
//
// Synopsis: Client Callback.
//
// Arguments: [Session] --
// [Type] --
// [Function] --
// [Argument1] --
// [Argument2] --
// [Input] --
// [Output] --
//
// History: 12-09-97 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLsapClientCallback( PSession Session, ULONG Type, PVOID Function, PVOID Argument1, PVOID Argument2, PSecBuffer Input, PSecBuffer Output ){ PSPM_LPC_MESSAGE Message ; NTSTATUS Status ; SPMCallbackAPI * Args ; PSPM_LPC_MESSAGE ReplyTo ; PVOID ClientBuffer ; PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall();
if ( !CallInfo ) { return STATUS_INVALID_PARAMETER ; }
ReplyTo = CallInfo->Message ;
if ( !ReplyTo ) { return STATUS_INVALID_PARAMETER ; }
SafeAllocaAllocate(Message, sizeof( SPM_LPC_MESSAGE ));
if ( !Message ) { return SEC_E_INSUFFICIENT_MEMORY ; }
// DebugLog(( DEB_TRACE_LPC, "Calling back on LPC message %x\n",
// ReplyTo->pmMessage.MessageId ));
PREPARE_MESSAGE_EX( (*Message), Callback, SPMAPI_FLAG_CALLBACK, 0 );
Message->pmMessage = ReplyTo->pmMessage ; Message->pmMessage.u1.s1.DataLength = LPC_DATA_LENGTH( 0 ); Message->pmMessage.u1.s1.TotalLength = LPC_TOTAL_LENGTH( 0 );
Args = LPC_MESSAGE_ARGS( (*Message), Callback );
Args->Type = Type ; Args->CallbackFunction = Function ; Args->Argument1 = Argument1 ; Args->Argument2 = Argument2 ;
if ( Input->pvBuffer ) { Status = LsapWriteClientBuffer( Input, &Args->Input );
if ( !NT_SUCCESS( Status ) ) { SafeAllocaFree( Message );
return Status ; } } else { Args->Input.BufferType = SECBUFFER_EMPTY ; Args->Input.cbBuffer = 0 ; Args->Input.pvBuffer = NULL ; }
ClientBuffer = Args->Input.pvBuffer ;
if ( CallInfo->InProcCall ) { //
// Inproc Callback!
//
Status = DllCallbackHandler( Message ); } else { DsysAssert( Session->hPort );
Status = NtRequestWaitReplyPort( Session->hPort, (PPORT_MESSAGE) Message, (PPORT_MESSAGE) Message ); }
if ( !NT_SUCCESS( Status ) ) { SafeAllocaFree( Message );
return Status ; }
if ( ClientBuffer ) { LsapFreeClientBuffer( NULL, ClientBuffer ); }
*Output = Args->Output ;
Status = Message->ApiMessage.scRet ;
SafeAllocaFree( Message );
return Status ;}
//+---------------------------------------------------------------------------
//
// Function: LsapShutdownInprocDll
//
// Synopsis: Shuts down the inproc secur32 DLL
//
// History: 11-04-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
VOIDLsapShutdownInprocDll( VOID ){ SPM_LPC_MESSAGE LocalMessage ; PSPM_LPC_MESSAGE Message ; SPMCallbackAPI * Args ;
Message = &LocalMessage;
PREPARE_MESSAGE_EX( (*Message), Callback, SPMAPI_FLAG_CALLBACK, 0 );
Args = LPC_MESSAGE_ARGS( (*Message), Callback );
Args->Type = SPM_CALLBACK_INTERNAL ; Args->CallbackFunction = NULL ; Args->Argument1 = (PVOID) SPM_CALLBACK_SHUTDOWN ; Args->Argument2 = 0 ;
if ( DllCallbackHandler ) { (void) DllCallbackHandler( Message ); }
}
//+-------------------------------------------------------------------------
//
// Function: DispatchAPI()
//
// Synopsis: Dispatches API requests
//
// Effects:
//
// Arguments: pApiMessage - Input message
// pApiMessage - Output message
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
extern "C"NTSTATUSDispatchAPI(PSPM_LPC_MESSAGE pApiMessage){ NTSTATUS scRet; PSession pSession ;
pSession = GetCurrentSession();
DebugLog((DEB_TRACE,"[%x] LpcDispatch: dispatching %s (%x)\n", pSession->dwProcessID, ApiLabel(pApiMessage->ApiMessage.dwAPI), pApiMessage->ApiMessage.dwAPI));
scRet = 0;
if ((pApiMessage->ApiMessage.dwAPI >= LsapAuLookupPackageApi) && (pApiMessage->ApiMessage.dwAPI < SPMAPI_MaxApiNumber) && (LpcDispatchTable[pApiMessage->ApiMessage.dwAPI] != NULL) ) { if ( !ShutdownBegun ) { scRet = LpcDispatchTable[pApiMessage->ApiMessage.dwAPI](pApiMessage);
//
// BUGBUG: If scRet is not STATUS_SUCCESS, the error code gets dropped
//
} else { pApiMessage->ApiMessage.scRet = STATUS_SHUTDOWN_IN_PROGRESS; }
//
// Shutdown may have been initiated prior or during a call in progress.
// If the call failed, we always return an error code indicating that
// shutdown was invoked. This avoids returning random error codes
// that can result from calls failing due to async shutdown activities.
//
if( ShutdownBegun && !NT_SUCCESS(pApiMessage->ApiMessage.scRet) ) { scRet = STATUS_SHUTDOWN_IN_PROGRESS; pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; pApiMessage->ApiMessage.scRet = scRet ; }
//
// Do some checking to see if we're getting pounded by an agressive
// app. NOTE: This is not MT safe (counters are not interlocked,
// resets are not protected). This is merely an optimization to try
// and service clients with dedicated threads. The counter may not
// be precise - them's the breaks.
//
pSession->CallCount++ ;
if ( pSession->Tick + 5000 < GetTickCount() ) { //
// Ok, in a minimum five second interval, did more than, say, 50
// requests come in. If so, set a flag indicating that the client
// should request a workqueue.
//
if ( pSession->CallCount > 50 ) { if (pApiMessage->ApiMessage.dwAPI > LsapAuMaxApiNumber ) { pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_GETSTATE ; } } pSession->CallCount = 0; pSession->Tick = GetTickCount(); }
} else { DebugLog((DEB_ERROR, "[%x] Dispatch: Unknown API code %d\n", pSession->dwProcessID, pApiMessage->ApiMessage.dwAPI));
pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET;
pApiMessage->ApiMessage.scRet = SEC_E_UNSUPPORTED_FUNCTION; }
DebugLog((DEB_TRACE, "[%x] LpcDispatch: retcode = %x\n", pSession->dwProcessID, pApiMessage->ApiMessage.scRet));
return(S_OK);}
VOIDLsapInitializeCallInfo( PLSA_CALL_INFO CallInfo, BOOL InProcess ){ PLSA_CALL_INFO OriginalCall ;
OriginalCall = LsapGetCurrentCall() ;
ZeroMemory( CallInfo, sizeof( LSA_CALL_INFO ) );
CallInfo->PreviousCall = OriginalCall ;
CallInfo->InProcCall = InProcess ;
CallInfo->CallInfo.ProcessId = HandleToUlong(NtCurrentTeb()->ClientId.UniqueProcess) ; CallInfo->CallInfo.ThreadId = HandleToUlong(NtCurrentTeb()->ClientId.UniqueThread) ;
CallInfo->CallInfo.Attributes = 0 ; CallInfo->Allocs = 0 ;
CallInfo->LogContext = NULL ;}
NTSTATUSLsapBuildCallInfo( PSPM_LPC_MESSAGE pApiMessage, PLSA_CALL_INFO CallInfo, PHANDLE Impersonated, PSession * NewSession, PSession * OldSession ){ NTSTATUS scRet ; BOOL Recurse = FALSE ; HANDLE ImpersonatedToken ; PSession pOldSession ; PSession pSession ; PLSA_CALL_INFO OriginalCall ;
OriginalCall = LsapGetCurrentCall() ;
LsapInitializeCallInfo( CallInfo, TRUE );
//
// Only copy out the IP address from "new" clients (vs. clients compiled using a version
// of lsadll.lib from a previous OS release that didn't have this field).
//
if ( pApiMessage->ApiMessage.dwAPI == LsapAuLogonUserApi && pApiMessage->pmMessage.u1.s1.DataLength == LSAP_AU_DATA_LENGTH(sizeof(LSAP_LOGON_USER_ARGS))) { RtlCopyMemory(CallInfo->IpAddress, pApiMessage->ApiMessage.Args.LsaArguments.LogonUser.IpAddress, LSAP_ADDRESS_LENGTH); } else if ( pApiMessage->ApiMessage.dwAPI == SPMAPI_AcceptContext ) { RtlCopyMemory(CallInfo->IpAddress, pApiMessage->ApiMessage.Args.SpmArguments.API.AcceptContext.IpAddress, LSAP_ADDRESS_LENGTH); }
//
// Save away who we were impersonating
//
scRet = NtOpenThreadToken( NtCurrentThread(), TOKEN_IMPERSONATE | TOKEN_QUERY | TOKEN_QUERY_SOURCE, TRUE, &ImpersonatedToken ); if (!NT_SUCCESS(scRet)) { if (scRet != STATUS_NO_TOKEN) { return(scRet); } ImpersonatedToken = NULL ;
scRet = STATUS_SUCCESS ; }
*Impersonated = ImpersonatedToken ;
CallInfo->InProcToken = ImpersonatedToken ; CallInfo->Message = pApiMessage ;
//
// Check to see if we're recursing:
//
if ( OriginalCall && OriginalCall->InProcCall && pApiMessage && OriginalCall->Message ) { if ( OriginalCall->Message->ApiMessage.dwAPI == pApiMessage->ApiMessage.dwAPI ) { //
// Same call. Since they're both inproc, the pointers
// are valid. Compare the target strings
//
if ( pApiMessage->ApiMessage.dwAPI == SPMAPI_InitContext ) { Recurse = (RtlCompareUnicodeString( &pApiMessage->ApiMessage.Args.SpmArguments.API.InitContext.ssTarget, &OriginalCall->Message->ApiMessage.Args.SpmArguments.API.InitContext.ssTarget, TRUE ) == 0) ; } else if( pApiMessage->ApiMessage.dwAPI == LsapAuCallPackageApi ) { Recurse = TRUE; } } }
if ( Recurse ) { DebugLog(( DEB_ERROR, "Recursive call\n" )); CallInfo->CallInfo.Attributes |= SECPKG_CALL_RECURSIVE ; }
pOldSession = GetCurrentSession();
pSession = pDefaultSession ;
CallInfo->Session = pSession ;
SpmpReferenceSession( pSession );
*NewSession = pSession ; *OldSession = pOldSession ;
return scRet ;
}
extern "C"NTSTATUSInitializeDirectDispatcher( VOID ){ InternalApiLog = ApiLogCreate( 0 );
if ( InternalApiLog ) { return STATUS_SUCCESS ; }
return STATUS_UNSUCCESSFUL ;}
//+---------------------------------------------------------------------------
//
// Function: DispatchAPIDirect
//
// Synopsis: Dispatcher to be called from security.dll when in process.
//
// Arguments: [pApiMessage] --
//
// History: 9-13-96 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSSEC_ENTRYDispatchAPIDirect( PSPM_LPC_MESSAGE pApiMessage){ NTSTATUS scRet; PSession pOldSession; PSession pSession; PVOID DsaState ; HANDLE ImpersonatedToken = NULL; ULONG TokenSize = sizeof(HANDLE); LSA_CALL_INFO CallInfo ; PLSA_CALL_INFO OriginalCall ; ULONG_PTR OriginalPackageId; PLSAP_API_LOG_ENTRY Entry ;
//
// save off the current package hints to allow recursion in process.
//
OriginalCall = LsapGetCurrentCall() ; OriginalPackageId = GetCurrentPackageId();
pApiMessage->pmMessage.MessageId = InterlockedIncrement( &InternalMessageId );
Entry = ApiLogAlloc( InternalApiLog );
scRet = LsapBuildCallInfo( pApiMessage, &CallInfo, &ImpersonatedToken, &pSession, &pOldSession );
if ( !NT_SUCCESS( scRet ) ) { return scRet ; }
DBG_DISPATCH_PROLOGUE_EX( Entry, pApiMessage, CallInfo );
LsapSetCurrentCall( &CallInfo );
SetCurrentSession( pSession );
if ( GetDsaThreadState ) { DsaState = GetDsaThreadState(); } else { DsaState = NULL ; }
DebugLog((DEB_TRACE,"[%x] DispatchAPIDirect: dispatching %s (%d)\n", pSession->dwProcessID, ApiLabel(pApiMessage->ApiMessage.dwAPI), pApiMessage->ApiMessage.dwAPI));
scRet = 0;
if ((pApiMessage->ApiMessage.dwAPI >= LsapAuLookupPackageApi) && (pApiMessage->ApiMessage.dwAPI < SPMAPI_MaxApiNumber) && (LpcDispatchTable[pApiMessage->ApiMessage.dwAPI] != NULL) ) {
scRet = LpcDispatchTable[pApiMessage->ApiMessage.dwAPI](pApiMessage);
} else { DebugLog((DEB_ERROR, "[%x] Dispatch: Unknown API code %x\n", pSession->dwProcessID, pApiMessage->ApiMessage.dwAPI)); pApiMessage->ApiMessage.Args.SpmArguments.fAPI |= SPMAPI_FLAG_ERROR_RET; pApiMessage->ApiMessage.scRet = SEC_E_UNSUPPORTED_FUNCTION; }
DebugLog((DEB_TRACE, "[%x] DispatchAPIDirect: retcode = %x\n", pSession->dwProcessID, pApiMessage->ApiMessage.scRet));
if ( DsaState ) { RestoreDsaThreadState( DsaState ); }
if ( pOldSession != pSession ) { SetCurrentSession( pOldSession ); }
DBG_DISPATCH_POSTLOGUE( ULongToPtr( pApiMessage->ApiMessage.scRet ), pApiMessage->ApiMessage.dwAPI );
SpmpDereferenceSession( pSession );
SetCurrentPackageId( OriginalPackageId );
LsapSetCurrentCall( OriginalCall );
(void) NtSetInformationThread( NtCurrentThread(), ThreadImpersonationToken, (PVOID) &ImpersonatedToken, sizeof(HANDLE) );
if ( ImpersonatedToken ) { NtClose( ImpersonatedToken ); }
return( SEC_E_OK );
}
//+---------------------------------------------------------------------------
//
// Function: LpcLsaPolicyChangeNotify
//
// Synopsis: Lpc stub for LsaPolicyChangeNotify
//
// Arguments: [pApiMessage] --
//
// History: 06-05-98 MacM Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSLpcLsaPolicyChangeNotify( PSPM_LPC_MESSAGE pApiMessage ){ SPMLsaPolicyChangeNotifyAPI * Args = &pApiMessage->ApiMessage.Args.SpmArguments.API.LsaPolicyChangeNotify; NTSTATUS Status = STATUS_SUCCESS; HANDLE LocalHandle = NULL; PSession Session;
HANDLE PassedHandle = ( HANDLE ) Args->EventHandle; // extract the handle and put it
// correctly sized variable
Session = GetCurrentSession();
Status = CheckCaller( Session );
if ( !NT_SUCCESS( Status ) ) {
DebugLog(( DEB_ERROR, "CheckCaller returned 0x%lx\n", Status ));
return( Status ); }
if ( Args->Register ) {
//
// Duplicate the handle
//
Status = NtDuplicateObject( Session->hProcess, PassedHandle, NtCurrentProcess(), &LocalHandle, 0, 0, DUPLICATE_SAME_ACCESS ); }
//
// Now, the notify
//
if (NT_SUCCESS( Status )) {
Status = LsapNotifyProcessNotificationEvent( Args->NotifyInfoClass, LocalHandle, GetCurrentSession()->dwProcessID, PassedHandle, Args->Register );
if ( NT_SUCCESS( Status )) { // Indicate that we've successfully registered the handle
LocalHandle = NULL; }
//
// Since we duplicated the handle in our namespace, if we fail to register it,
// make sure we close it
//
if ( LocalHandle != NULL ) { NtClose( LocalHandle ); } }
pApiMessage->ApiMessage.scRet = Status;
return( Status );}
|
