|
|
//+---------------------------------------------------------------------------
//
// Microsoft Windows
// Copyright (C) Microsoft Corporation, 1992 - 1995.
//
// File: neglsa.cxx
//
// Contents: General (both win9x and nt) functions
//
// Classes:
//
// Functions:
//
// History: 02-09-00 RichardW Created - split from negotiat.cxx
//
//----------------------------------------------------------------------------
#include <lsapch.hxx>
extern "C"{#include <align.h>
#include <lm.h>
#include <dsgetdc.h>
#include <cryptdll.h>
#include <netlib.h>
#include <spmgr.h>
#include "sesmgr.h"
#include "spinit.h"
}
#include "negotiat.hxx"
#include <stdio.h>
GUID GUID_NULL = {0L, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};TOKEN_SOURCE LsapTokenSource = {"LSA", 0};
//
// Hardcoded english strings for LocalService and NetworkService
// since the account names may come from the registry (which isn't
// localized).
//
#define LOCALSERVICE_NAME L"LocalService"
#define NETWORKSERVICE_NAME L"NetworkService"
#define NTAUTHORITY_NAME L"NT AUTHORITY"
UNICODE_STRING LocalServiceName = { sizeof(LOCALSERVICE_NAME) - 2, sizeof(LOCALSERVICE_NAME), LOCALSERVICE_NAME };
UNICODE_STRING NetworkServiceName = { sizeof(NETWORKSERVICE_NAME) - 2, sizeof(NETWORKSERVICE_NAME), NETWORKSERVICE_NAME };
UNICODE_STRING NTAuthorityName = { sizeof(NTAUTHORITY_NAME) - 2, sizeof(NTAUTHORITY_NAME), NTAUTHORITY_NAME };HANDLE NegEventLogHandle = NULL ;ULONG NegEventLogLevel = 3 ;
EXTERN RTL_CRITICAL_SECTION NegComputerNamesLock;
//
// RELOCATE_ONE - Relocate a single pointer in a client buffer.
//
// Note: this macro is dependent on parameter names as indicated in the
// description below. On error, this macro goes to 'Cleanup' with
// 'Status' set to the NT Status code.
//
// The MaximumLength is forced to be Length.
//
// Define a macro to relocate a pointer in the buffer the client passed in
// to be relative to 'ProtocolSubmitBuffer' rather than being relative to
// 'ClientBufferBase'. The result is checked to ensure the pointer and
// the data pointed to is within the first 'SubmitBufferSize' of the
// 'ProtocolSubmitBuffer'.
//
// The relocated field must be aligned to a WCHAR boundary.
//
// _q - Address of UNICODE_STRING structure which points to data to be
// relocated
//
#define RELOCATE_ONE( _q ) \
{ \ ULONG_PTR Offset; \ \ Offset = (((PUCHAR)((_q)->Buffer)) - ((PUCHAR)ClientBufferBase)); \ if ( Offset >= SubmitBufferSize || \ Offset + (_q)->Length > SubmitBufferSize || \ !COUNT_IS_ALIGNED( Offset, ALIGN_WCHAR) ) { \ \ Status = STATUS_INVALID_PARAMETER; \ goto Cleanup; \ } \ \ (_q)->Buffer = (PWSTR)(((PUCHAR)ProtocolSubmitBuffer) + Offset); \ (_q)->MaximumLength = (_q)->Length ; \ }
//
// NULL_RELOCATE_ONE - Relocate a single (possibly NULL) pointer in a client
// buffer.
//
// This macro special cases a NULL pointer then calls RELOCATE_ONE. Hence
// it has all the restrictions of RELOCATE_ONE.
//
//
// _q - Address of UNICODE_STRING structure which points to data to be
// relocated
//
#define NULL_RELOCATE_ONE( _q ) \
{ \ if ( (_q)->Buffer == NULL ) { \ if ( (_q)->Length != 0 ) { \ Status = STATUS_INVALID_PARAMETER; \ goto Cleanup; \ } \ } else if ( (_q)->Length == 0 ) { \ (_q)->Buffer = NULL; \ } else { \ RELOCATE_ONE( _q ); \ } \ }
#define MAX_EVENT_STRINGS 8
extern SECPKG_PRIMARY_CRED NegPrimarySystemCredentials;
//
// Local function prototypes
//
NTSTATUSNegpMakeServiceToken( IN ULONG ulAccountId, OUT PLUID pLogonId, OUT PVOID *ProfileBuffer, OUT PULONG ProfileBufferLength, OUT PNTSTATUS ApiSubStatus, OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType, OUT PVOID *TokenInformation, OUT PUNICODE_STRING *AccountName, OUT PUNICODE_STRING *AuthenticatingAuthority, OUT PUNICODE_STRING *MachineName, OUT PSECPKG_PRIMARY_CRED PrimaryCredentials, OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials );
BOOLNegpIsLocalOrNetworkService( IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferSize, OUT PUNICODE_STRING *AccountName, OUT PUNICODE_STRING *AuthenticatingAuthority, OUT PUNICODE_STRING *MachineName, OUT PULONG pulAccountId );
#ifdef _WIN64
NTSTATUSNegpConvertWOWInteractiveLogonBuffer( IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN OUT PULONG pSubmitBufferSize, OUT PVOID *ppTempSubmitBuffer );
#endif // _WIN64
VOIDNegpReportEvent( IN WORD EventType, IN DWORD EventId, IN DWORD Category, IN NTSTATUS Status, IN DWORD NumberOfStrings, ... ){ va_list arglist; ULONG i; PWSTR Strings[ MAX_EVENT_STRINGS ]; BOOLEAN Allocated[ MAX_EVENT_STRINGS ] = { 0 }; WCHAR StatusString[ MAX_PATH ]; WCHAR FinalStatus[ MAX_PATH ]; HANDLE Dll ; DWORD rv;
if (NegEventLogHandle == NULL ) { //
// only log identical event once per hour.
// note that LSA doesn't cleanup this 'handle' during shutdown,
// to avoid preventing log failures during shutdown.
//
NegEventLogHandle = NetpEventlogOpen( L"LSASRV", 60000*60 );
if ( NegEventLogHandle == NULL ) { return ; } }
//
// We're not supposed to be logging this, so nuke it
//
if ((NegEventLogLevel & (1 << EventType)) == 0) { return ; }
//
// Look at the strings, if they were provided
//
va_start( arglist, NumberOfStrings );
if (NumberOfStrings > MAX_EVENT_STRINGS) { NumberOfStrings = MAX_EVENT_STRINGS; }
for (i=0; i<NumberOfStrings; i++) {
PUNICODE_STRING String = va_arg( arglist, PUNICODE_STRING );
//
// Make sure strings are NULL-terminated. Do it in place for
// those strings whose buffers can accomodate an additional character,
// and allocate memory for the rest.
//
if ( String->MaximumLength > String->Length ) {
Strings[i] = String->Buffer;
} else {
SafeAllocaAllocate(Strings[i], String->Length + sizeof( WCHAR ));
if ( Strings[i] == NULL ) {
goto Cleanup; }
Allocated[i] = TRUE;
RtlCopyMemory( Strings[i], String->Buffer, String->Length ); }
Strings[i][String->Length / sizeof( WCHAR )] = L'\0';
}
if ( Status != 0 ) { static HMODULE NtDll; static HMODULE Kernel32;
//
// Map the status code:
//
//
// The value "type" is not known. Try and figure out what it
// is.
//
if ( (Status & 0xC0000000) == 0xC0000000 ) { //
// Easy: NTSTATUS failure case
//
if( NtDll == NULL ) { NtDll = GetModuleHandleW( L"NTDLL.DLL" ); }
Dll = NtDll; } else if ( ( Status & 0xF0000000 ) == 0xD0000000 ) { //
// HRESULT from NTSTATUS
//
if( NtDll == NULL ) { NtDll = GetModuleHandleW( L"NTDLL.DLL" ); }
Dll = NtDll;
Status &= 0xCFFFFFFF ; } else if ( ( Status & 0x80000000 ) == 0x80000000 ) { //
// Note, this can overlap with NTSTATUS warning area. In that
// case, force the NTSTATUS.
//
if( Kernel32 == NULL ) { Kernel32 = GetModuleHandleW( L"KERNEL32.DLL" ); }
Dll = Kernel32; } else { //
// Sign bit is off. Explore some known ranges:
//
if ( (Status >= WSABASEERR) && (Status <= WSABASEERR + 1000 )) { Dll = LoadLibraryExW(L"ws2_32.dll", NULL, LOAD_LIBRARY_AS_DATAFILE); } else if ( ( Status >= NERR_BASE ) && ( Status <= MAX_NERR ) ) { Dll = LoadLibraryExW(L"netmsg.dll", NULL, LOAD_LIBRARY_AS_DATAFILE); } else { if( Kernel32 == NULL ) { Kernel32 = GetModuleHandleW( L"KERNEL32.DLL" ); }
Dll = Kernel32; } }
if (!FormatMessage( FORMAT_MESSAGE_IGNORE_INSERTS | FORMAT_MESSAGE_FROM_HMODULE, Dll, Status, 0, StatusString, MAX_PATH, NULL ) ) { StatusString[0] = L' '; StatusString[1] = L'\0'; }
if ( Status < 0 ) { _snwprintf( FinalStatus, MAX_PATH, L"\"%ws (%#x)\"", StatusString, Status ); } else { _snwprintf( FinalStatus, MAX_PATH, L"\"%ws (%#x, %d)\"", StatusString, Status, Status ); }
if ( NumberOfStrings < MAX_EVENT_STRINGS ) { Strings[ NumberOfStrings++ ] = FinalStatus ; }
}
//
// Report the event to the eventlog service
//
NetpEventlogWriteEx( NegEventLogHandle, EventType, Category, EventId, NumberOfStrings, sizeof(NTSTATUS), Strings, &Status );
Cleanup:
for ( i = 0 ; i < NumberOfStrings ; i++ ) {
if ( Allocated[i] ) {
SafeAllocaFree( Strings[i] ); } }}
//+---------------------------------------------------------------------------
//
// Function: NegLsaPolicyChangeCallback
//
// Synopsis: Called by the policy engine in the LSA when local policy changes,
// allowing us to update our state about the machine account, etc.
//
// Arguments: ChangedInfoClass - Class of policy that changed
//
// History: 2-9-00 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
VOIDNTAPINegLsaPolicyChangeCallback( IN POLICY_NOTIFICATION_INFORMATION_CLASS ChangedInfoClass ){ PLSAPR_POLICY_INFORMATION Policy = NULL ; NTSTATUS Status ; GUID GuidNull = GUID_NULL ; PLSAP_LOGON_SESSION LogonSession = NULL ; BOOL Uplevel ; UNICODE_STRING TmpDomainName = {0};
//
// Right now, only domain information is interesting
//
if ( ChangedInfoClass != PolicyNotifyDnsDomainInformation ) { return ; }
DebugLog(( DEB_TRACE_NEG, "Domain change, updating state\n" ));
//
// Reset the trust list. The next time someone asks for the trust
// list, it will have expired and they will get a fresh one.
//
NegTrustTime.QuadPart = 0 ;
//
// Obtain the new policy settings
//
Status = LsaIQueryInformationPolicyTrusted( PolicyDnsDomainInformation, &Policy );
if ( NT_SUCCESS( Status ) ) { //
// If the domain has a GUID, then it is an uplevel domain
//
if ( Policy->PolicyDnsDomainInfo.DomainGuid == GuidNull ) { Uplevel = FALSE ; } else { Uplevel = TRUE ; }
RtlEnterCriticalSection(&NegComputerNamesLock);
Status = LsapDuplicateString( &TmpDomainName, (PUNICODE_STRING) &Policy->PolicyDnsDomainInfo.DnsDomainName );
if (NT_SUCCESS(Status)) {
//
// Time to update the primary system credentials.
//
if ( TmpDomainName.Buffer ) { LsapFreeString( &NegPrimarySystemCredentials.DnsDomainName ); NegPrimarySystemCredentials.DnsDomainName = TmpDomainName; TmpDomainName.Buffer = NULL; } Status = LsapDuplicateString( &TmpDomainName, (PUNICODE_STRING) &Policy->PolicyDnsDomainInfo.Name );
if (NT_SUCCESS(Status)) { if ( TmpDomainName.Buffer ) { LsapFreeString( &NegPrimarySystemCredentials.DomainName ); NegPrimarySystemCredentials.DomainName = TmpDomainName; TmpDomainName.Buffer = NULL; } } }
RtlLeaveCriticalSection(&NegComputerNamesLock);
//
// Done with the policy info
//
LsaIFree_LSAPR_POLICY_INFORMATION( PolicyDnsDomainInformation, Policy );
NegUplevelDomain = Uplevel ;
//
// Update the package ID for the local system logon session
// Note, any additional special logon sessions will need to be
// updated as well.
//
LogonSession = LsapLocateLogonSession( &SystemLogonId );
if ( LogonSession ) { if ( Uplevel ) { LogonSession->CreatingPackage = NegPackageId ; } else { LogonSession->CreatingPackage = NtlmPackageId ; } LsapReleaseLogonSession( LogonSession ); }
}
{ ULONG Size;
static WCHAR NegNetbiosComputerName[ MAX_COMPUTERNAME_LENGTH + 1 ]; static WCHAR NegDnsComputerName[ DNS_MAX_NAME_BUFFER_LENGTH + 1 ];
//
// refresh the computer names.
// note we could avoid taking the lock around these calls if we dyna-alloc'd
// and freed the existing buffers. We don't expect this path to be hit often,
// so avoid the hassle.
//
NegWriteLockComputerNames();
Size = sizeof(NegDnsComputerName) / sizeof(WCHAR);
//
// Note, if this fails, it's ok. We just won't be able to make
// some optimizations later.
//
if(!GetComputerNameExW( ComputerNamePhysicalDnsFullyQualified, NegDnsComputerName, &Size )) { NegDnsComputerName[ 0 ] = L'\0'; }
RtlInitUnicodeString( &NegDnsComputerName_U, NegDnsComputerName );
Size = sizeof(NegNetbiosComputerName) / sizeof(WCHAR);
if(!GetComputerNameExW( ComputerNamePhysicalNetBIOS, NegNetbiosComputerName, &Size )) { NegNetbiosComputerName[ 0 ] = L'\0'; }
RtlInitUnicodeString( &NegNetbiosComputerName_U, NegNetbiosComputerName );
NegUnlockComputerNames();
}
}
//+---------------------------------------------------------------------------
//
// Function: NegParamChange
//
// Synopsis: Called by LSA whenever the LSA registry key changes
//
// Arguments: [p] --
//
// History: 5-11-00 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
DWORDWINAPINegParamChange( PVOID p ){ NTSTATUS Status ; PSECPKG_EVENT_NOTIFY Notify; HKEY LsaKey ;
Notify = (PSECPKG_EVENT_NOTIFY) p;
if ( Notify->EventClass != NOTIFY_CLASS_REGISTRY_CHANGE ) { return( 0 ); }
if ( RegOpenKeyEx( HKEY_LOCAL_MACHINE, TEXT("System\\CurrentControlSet\\Control\\Lsa"), 0, KEY_READ, &LsaKey ) == 0 ) { NegpReadRegistryParameters( LsaKey );
RegCloseKey( LsaKey ); }
return 0 ;
}
//+---------------------------------------------------------------------------
//
// Function: NegEnumPackagePrefixesCall
//
// Synopsis: LsaCallPackage routine to identify the prefxes (or OIDs) for
// all the packages, for SASL support.
//
// Arguments:
//
// History:
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUSNegEnumPackagePrefixesCall( IN PLSA_CLIENT_REQUEST ClientRequest, IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus ){ UCHAR PrefixBuffer[ NEGOTIATE_MAX_PREFIX ]; NTSTATUS Status ; PNEGOTIATE_PACKAGE_PREFIXES Prefixes ; PNEGOTIATE_PACKAGE_PREFIX Prefix ; PNEGOTIATE_PACKAGE_PREFIX_WOW PrefixWow ; ULONG PackageCount ; BOOL WowClient = FALSE ; PNEG_PACKAGE Package ; PLIST_ENTRY Scan ; SECPKG_CALL_INFO CallInfo ; ULONG Size ;
LsapGetCallInfo( &CallInfo );
if ( CallInfo.Attributes & SECPKG_CALL_WOWCLIENT ) { WowClient = TRUE; }
NegReadLockList();
Size = sizeof( NEGOTIATE_PACKAGE_PREFIXES ) + sizeof( NEGOTIATE_PACKAGE_PREFIX ) * ( NegPackageCount + 1 );
SafeAllocaAllocate(Prefixes, Size);
if ( !Prefixes ) { NegUnlockList();
return SEC_E_INSUFFICIENT_MEMORY ; }
Prefixes->MessageType = NegEnumPackagePrefixes ; Prefixes->Offset = sizeof( NEGOTIATE_PACKAGE_PREFIXES );
//
// We're going to do one or the other, but initializing them both
// makes the compiler happier.
//
Prefix = (PNEGOTIATE_PACKAGE_PREFIX) ( Prefixes + 1 );
PrefixWow = (PNEGOTIATE_PACKAGE_PREFIX_WOW) ( Prefixes + 1);
if ( WowClient ) { PrefixWow->PackageId = (ULONG) NegPackageId ; PrefixWow->PrefixLen = sizeof( NegSpnegoMechEncodedOid ); PrefixWow->PackageDataA = NULL ; PrefixWow->PackageDataW = NULL ; RtlCopyMemory( PrefixWow->Prefix, NegSpnegoMechEncodedOid, sizeof( NegSpnegoMechEncodedOid ) );
PrefixWow++ ; } else { Prefix->PackageId = NegPackageId ; Prefix->PrefixLen = sizeof( NegSpnegoMechEncodedOid ); Prefix->PackageDataA = NULL ; Prefix->PackageDataW = NULL ; RtlCopyMemory( Prefix->Prefix, NegSpnegoMechEncodedOid, sizeof( NegSpnegoMechEncodedOid ) );
Prefix++ ; }
PackageCount = 1 ; Scan = NegPackageList.Flink ;
while ( Scan != &NegPackageList ) { Package = CONTAINING_RECORD( Scan, NEG_PACKAGE, List );
if ( !WowClient ) { Prefix->PackageId = Package->LsaPackage->dwPackageID ; Prefix->PrefixLen = Package->PrefixLen ; Prefix->PackageDataA = NULL ; Prefix->PackageDataW = NULL ; RtlCopyMemory( Prefix->Prefix, Package->Prefix, Package->PrefixLen );
Prefix++ ; PackageCount++ ; } else { if ( Package->LsaPackage->fPackage & SP_WOW_SUPPORT ) { PrefixWow->PackageId = (ULONG) Package->LsaPackage->dwPackageID ; PrefixWow->PrefixLen = Package->PrefixLen ; PrefixWow->PackageDataA = NULL ; PrefixWow->PackageDataW = NULL ; RtlCopyMemory( PrefixWow->Prefix, Package->Prefix, Package->PrefixLen );
PrefixWow++ ; PackageCount++ ;
} }
Scan = Scan->Flink ; }
NegUnlockList();
//
// Set the final count of packages:
//
Prefixes->PrefixCount = PackageCount ;
Status = LsapAllocateClientBuffer( NULL, Size, ProtocolReturnBuffer );
if ( NT_SUCCESS( Status ) ) { Status = LsapCopyToClient( Prefixes, *ProtocolReturnBuffer, Size );
*ReturnBufferLength = Size ; }
SafeAllocaFree(Prefixes);
return Status ;}
NTSTATUSNegGetCallerNameCall( IN PLSA_CLIENT_REQUEST ClientRequest, IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferLength, OUT PVOID *ProtocolReturnBuffer, OUT PULONG ReturnBufferLength, OUT PNTSTATUS ProtocolStatus ){ PNEGOTIATE_CALLER_NAME_REQUEST Request ; PNEGOTIATE_CALLER_NAME_RESPONSE Response ; PNEGOTIATE_CALLER_NAME_RESPONSE_WOW ResponseWow ; SECPKG_CLIENT_INFO ClientInfo ; SECPKG_CALL_INFO CallInfo ; NTSTATUS Status ; PNEG_LOGON_SESSION LogonSession ; ULONG ClientSize ; PUCHAR Where ; PVOID ClientBuffer ; BOOL ReCheckAccess = FALSE ;
*ProtocolReturnBuffer = NULL ; *ReturnBufferLength = 0 ; *ProtocolStatus = 0 ;
if ( SubmitBufferLength != sizeof( NEGOTIATE_CALLER_NAME_REQUEST ) ) { return STATUS_INVALID_PARAMETER ; }
Request = (PNEGOTIATE_CALLER_NAME_REQUEST) ProtocolSubmitBuffer ;
Status = LsapGetClientInfo( &ClientInfo );
if ( !NT_SUCCESS( Status ) ) { return Status ; }
LsapGetCallInfo( &CallInfo );
if ( RtlIsZeroLuid( &Request->LogonId ) ) { Request->LogonId = ClientInfo.LogonId ; } else { if ( !RtlEqualLuid( &ClientInfo.LogonId, &Request->LogonId ) ) { ReCheckAccess = TRUE ; } }
LogonSession = NegpLocateLogonSession( &Request->LogonId );
if ( LogonSession ) { if ( ReCheckAccess ) { if ( !RtlEqualLuid( &ClientInfo.LogonId, &LogonSession->ParentLogonId ) ) { Status = STATUS_ACCESS_DENIED ;
goto AccessDeniedError ; } }
if ( LogonSession->AlternateName.Buffer == NULL ) { //
// No alternate ID
//
Status = STATUS_NO_SUCH_LOGON_SESSION ;
goto AccessDeniedError ; }
ClientSize = sizeof( NEGOTIATE_CALLER_NAME_RESPONSE ) + LogonSession->AlternateName.Length + sizeof( WCHAR );
SafeAllocaAllocate(Response, ClientSize);
if ( Response ) { RtlZeroMemory(Response, ClientSize);
ClientBuffer = LsapClientAllocate( ClientSize );
if ( ClientBuffer ) { Where = (PUCHAR) ClientBuffer + sizeof( NEGOTIATE_CALLER_NAME_RESPONSE ) ;
//
// If a WOW client, copy these to the 32bit locations. Note
// that this will leave a "hole," but that's ok.
//
if ( CallInfo.Attributes & SECPKG_CALL_WOWCLIENT ) { ResponseWow = (PNEGOTIATE_CALLER_NAME_RESPONSE_WOW) Response ; ResponseWow->MessageType = NegGetCallerName ; ResponseWow->CallerName = PtrToUlong(Where) ; } else { Response->MessageType = NegGetCallerName ; Response->CallerName = (PWSTR) Where ; }
RtlCopyMemory( (Response + 1), LogonSession->AlternateName.Buffer, LogonSession->AlternateName.Length );
*ProtocolReturnBuffer = ClientBuffer ; *ReturnBufferLength = ClientSize ; *ProtocolStatus = 0 ; Status = LsapCopyToClient( Response, ClientBuffer, ClientSize ) ; } else { Status = STATUS_NO_MEMORY ; }
SafeAllocaFree(Response); }
AccessDeniedError:
NegpDerefLogonSession( LogonSession );
} else {
Status = STATUS_NO_SUCH_LOGON_SESSION ; }
*ProtocolStatus = Status ;
return STATUS_SUCCESS ;}
PNEG_LOGON_SESSIONNegpBuildLogonSession( PLUID LogonId, ULONG_PTR LogonPackage, ULONG_PTR DefaultPackage ){ PNEG_LOGON_SESSION LogonSession ;
LogonSession = (PNEG_LOGON_SESSION) LsapAllocatePrivateHeap( sizeof( NEG_LOGON_SESSION ) );
if ( LogonSession ) { LogonSession->LogonId = *LogonId ; LogonSession->CreatingPackage = LogonPackage ; LogonSession->DefaultPackage = DefaultPackage ; LogonSession->RefCount = 2 ;
RtlEnterCriticalSection( &NegLogonSessionListLock );
InsertHeadList( &NegLogonSessionList, &LogonSession->List );
RtlLeaveCriticalSection( &NegLogonSessionListLock );
}
return LogonSession ;}
VOIDNegpDerefLogonSession( PNEG_LOGON_SESSION LogonSession ){ BOOL FreeIt = FALSE ;
RtlEnterCriticalSection( &NegLogonSessionListLock );
LogonSession->RefCount-- ;
if ( LogonSession->RefCount == 0 ) { RemoveEntryList( &LogonSession->List );
FreeIt = TRUE ; }
RtlLeaveCriticalSection( &NegLogonSessionListLock );
if ( FreeIt ) { if ( LogonSession->AlternateName.Buffer ) { LsapFreePrivateHeap( LogonSession->AlternateName.Buffer ); }
LsapFreePrivateHeap( LogonSession ); }
}
VOIDNegpDerefLogonSessionById( PLUID LogonId ){ BOOL FreeIt = FALSE ; PLIST_ENTRY Scan ; PNEG_LOGON_SESSION LogonSession = NULL;
RtlEnterCriticalSection( &NegLogonSessionListLock );
Scan = NegLogonSessionList.Flink ;
while ( Scan != &NegLogonSessionList ) { LogonSession = CONTAINING_RECORD( Scan, NEG_LOGON_SESSION, List );
if ( RtlEqualLuid( LogonId, &LogonSession->LogonId ) ) { LogonSession->RefCount -- ;
if ( LogonSession->RefCount == 0 ) { RemoveEntryList( &LogonSession->List );
FreeIt = TRUE ;
}
break; }
LogonSession = NULL ;
Scan = Scan->Flink ; }
RtlLeaveCriticalSection( &NegLogonSessionListLock );
if ( FreeIt ) { DsysAssert( LogonSession != NULL );
if ( LogonSession->AlternateName.Buffer ) { LsapFreePrivateHeap( LogonSession->AlternateName.Buffer ); }
LsapFreePrivateHeap( LogonSession ); }
}
PNEG_LOGON_SESSIONNegpLocateLogonSession( PLUID LogonId ){ PLIST_ENTRY Scan ; PNEG_LOGON_SESSION LogonSession = NULL;
RtlEnterCriticalSection( &NegLogonSessionListLock );
Scan = NegLogonSessionList.Flink ;
while ( Scan != &NegLogonSessionList ) { LogonSession = CONTAINING_RECORD( Scan, NEG_LOGON_SESSION, List );
if ( RtlEqualLuid( LogonId, &LogonSession->LogonId ) ) { break; }
LogonSession = NULL ;
Scan = Scan->Flink ; }
if ( LogonSession ) { LogonSession->RefCount++ ; }
RtlLeaveCriticalSection( &NegLogonSessionListLock );
return LogonSession ;}
NTSTATUSNTAPINegpMapLogonRequest( IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferSize, OUT PMSV1_0_INTERACTIVE_LOGON * LogonInfo ){ NTSTATUS Status = STATUS_SUCCESS ; PMSV1_0_INTERACTIVE_LOGON Authentication = NULL; PSECURITY_SEED_AND_LENGTH SeedAndLength; UCHAR Seed;
//
// Ensure this is really an interactive logon.
//
Authentication = (PMSV1_0_INTERACTIVE_LOGON) ProtocolSubmitBuffer;
if ( Authentication->MessageType != MsV1_0InteractiveLogon ) { DebugLog(( DEB_ERROR, "Neg: Bad Validation Class %d\n", Authentication->MessageType)); Status = STATUS_BAD_VALIDATION_CLASS; goto Cleanup; }
//
// If the password length is greater than 255 (i.e., the
// upper byte of the length is non-zero) then the password
// has been run-encoded for privacy reasons. Get the
// run-encode seed out of the upper-byte of the length
// for later use.
//
//
SeedAndLength = (PSECURITY_SEED_AND_LENGTH) &Authentication->Password.Length; Seed = SeedAndLength->Seed; SeedAndLength->Seed = 0;
//
// Enforce length restrictions on username and password.
//
if ( Authentication->UserName.Length > UNLEN || Authentication->Password.Length > PWLEN ) { DebugLog(( DEB_ERROR, "Neg: Name or password too long\n")); Status = STATUS_NAME_TOO_LONG; goto Cleanup; }
//
// Relocate any pointers to be relative to 'Authentication'
//
NULL_RELOCATE_ONE( &Authentication->LogonDomainName );
RELOCATE_ONE( &Authentication->UserName );
NULL_RELOCATE_ONE( &Authentication->Password );
//
// Now decode the password, if necessary
//
if (Seed != 0 ) { __try { RtlRunDecodeUnicodeString( Seed, &Authentication->Password); } __except(EXCEPTION_EXECUTE_HANDLER) { Status = STATUS_ILL_FORMED_PASSWORD; goto Cleanup; } }
*LogonInfo = Authentication ;
Cleanup:
return Status ;
}
VOIDNegpDerefTrustList( PNEG_TRUST_LIST TrustList ){ RtlEnterCriticalSection( &NegTrustListLock );
TrustList->RefCount-- ;
if ( TrustList->RefCount == 0 ) { if( NegTrustList == TrustList ) { NegTrustList = NULL; }
RtlLeaveCriticalSection( &NegTrustListLock );
NetApiBufferFree( TrustList->Trusts );
LsapFreePrivateHeap( TrustList );
return; }
RtlLeaveCriticalSection( &NegTrustListLock );
}
PNEG_TRUST_LISTNegpGetTrustList( VOID ){ PDS_DOMAIN_TRUSTS Trusts = NULL; DWORD TrustCount ; PNEG_TRUST_LIST TrustList = NULL ; DWORD NetStatus ; LARGE_INTEGER Now ;
BOOLEAN TrustListLocked = TRUE;
GetSystemTimeAsFileTime( (LPFILETIME) &Now );
RtlEnterCriticalSection( &NegTrustListLock );
if ( Now.QuadPart > NegTrustTime.QuadPart + FIFTEEN_MINUTES ) { if( NegTrustList != NULL && NegTrustList->RefCount == 1 ) { NegpDerefTrustList( NegTrustList ); NegTrustList = NULL; } }
if( NegTrustList != NULL ) { TrustList = NegTrustList ; TrustList->RefCount++ ; goto Cleanup; }
RtlLeaveCriticalSection( &NegTrustListLock ); TrustListLocked = FALSE;
NetStatus = DsEnumerateDomainTrustsW( NULL, DS_DOMAIN_IN_FOREST | DS_DOMAIN_PRIMARY, &Trusts, &TrustCount );
if ( NetStatus != 0 ) { goto Cleanup; }
TrustList = (PNEG_TRUST_LIST) LsapAllocatePrivateHeap( sizeof( NEG_TRUST_LIST ) );
if( TrustList == NULL ) { goto Cleanup; }
TrustList->RefCount = 2 ; TrustList->TrustCount = TrustCount ; TrustList->Trusts = Trusts ;
RtlEnterCriticalSection( &NegTrustListLock ); TrustListLocked = TRUE;
if( NegTrustList != NULL ) { PNEG_TRUST_LIST FreeTrustList = TrustList;
TrustList = NegTrustList ; TrustList->RefCount++ ;
RtlLeaveCriticalSection( &NegTrustListLock ); TrustListLocked = FALSE;
LsapFreePrivateHeap( FreeTrustList ); goto Cleanup; }
Trusts = NULL;
NegTrustList = TrustList ; NegTrustTime = Now ;
Cleanup:
if( TrustListLocked ) { RtlLeaveCriticalSection( &NegTrustListLock ); }
if( Trusts != NULL ) { NetApiBufferFree( Trusts ); }
return TrustList ;}
NEG_DOMAIN_TYPESNegpIsUplevelDomain( PLUID LogonId, SECURITY_LOGON_TYPE LogonType, PUNICODE_STRING Domain ){ PNEG_TRUST_LIST TrustList ; UNICODE_STRING String ; ULONG i ; BOOL IsUplevel = FALSE ; LONG Error ; PDOMAIN_CONTROLLER_INFOW Info ;
UNREFERENCED_PARAMETER(LogonId);
//
// Case #1. Local logons are not uplevel, and should be allowed to
// use NTLM right off the bat. Therefore, return false
//
if ( RtlEqualUnicodeString( Domain, &MachineName, TRUE ) ) { return NegLocalDomain; }
if ( LogonType == CachedInteractive ) { return NegUpLevelDomain; }
//
// Case #2. We logged on to a domain, but we need to check if it is
// an uplevel domain in our forest. If it is, then return true, otherwise
// it's not an uplevel domain and NTLM is acceptable. If we can't obtain the
// trust list, assume downlevel.
//
TrustList = NegpGetTrustList();
if ( TrustList ) { for ( i = 0 ; i < TrustList->TrustCount ; i++ ) { RtlInitUnicodeString( &String, TrustList->Trusts[i].NetbiosDomainName );
if ( RtlEqualUnicodeString( Domain, &String, TRUE ) ) { //
// Hit, check it
//
if ( ( TrustList->Trusts[i].DnsDomainName != NULL ) && ( TrustList->Trusts[i].Flags & DS_DOMAIN_IN_FOREST ) ) { IsUplevel = TRUE ; break; }
} }
NegpDerefTrustList( TrustList );
}
if ( IsUplevel ) { return NegUpLevelDomain ; }
//
// Case #3 - if this is an uplevel domain we live in, then the answer returned
// by netlogon is authoritative:
//
if ( NegUplevelDomain ) { return NegDownLevelDomain ; }
//
// Case #4 - if we are living in a downlevel domain, netlogon won't know if the domain
// we just talked to is uplevel or downlevel. So, we need to figure out directly.
//
Error = DsGetDcNameW( NULL, Domain->Buffer, NULL, NULL, DS_DIRECTORY_SERVICE_REQUIRED, &Info );
if ( Error == 0 ) { IsUplevel = TRUE ; NetApiBufferFree( Info ); } else { IsUplevel = FALSE ; }
return ( IsUplevel ? NegUpLevelTrustedDomain : NegDownLevelDomain );
}
//+-------------------------------------------------------------------------
//
// Function: NegpCloneLogonSession
//
// Synopsis: Handles a NewCredentials type of logon.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSNTAPINegpCloneLogonSession( IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferSize, OUT PVOID *ProfileBuffer, OUT PULONG ProfileBufferLength, OUT PLUID NewLogonId, OUT PNTSTATUS ApiSubStatus, OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType, OUT PVOID *TokenInformation, OUT PUNICODE_STRING *AccountName, OUT PUNICODE_STRING *AuthenticatingAuthority, OUT PUNICODE_STRING *MachineName, OUT PSECPKG_PRIMARY_CRED PrimaryCredentials, OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials ){ NTSTATUS Status; HANDLE hToken; UCHAR SmallBuffer[ 128 ]; PLSA_TOKEN_INFORMATION_V1 TokenInfo = NULL; PTOKEN_USER User = NULL; PTOKEN_GROUPS Groups = NULL; PTOKEN_GROUPS FinalGroups = NULL; PTOKEN_PRIMARY_GROUP PrimaryGroup = NULL; TOKEN_STATISTICS TokenStats; PLSAP_LOGON_SESSION LogonSession = NULL; PNEG_LOGON_SESSION NegLogonSession; LUID LogonId; LUID LocalServiceLuid = LOCALSERVICE_LUID; LUID NetworkServiceLuid = NETWORKSERVICE_LUID; LUID LocalSystemLuid = SYSTEM_LUID; BOOL fFilterGroups; PMSV1_0_INTERACTIVE_LOGON Authentication = NULL; DWORD Size; ULONG i; ULONG j; PWSTR AltName, AltNameScan;
Status = LsapImpersonateClient();
if ( !NT_SUCCESS( Status ) ) { return Status ; }
//
// Open the token for the lifetime of this call. This makes sure that the
// client doesn't die on us, taking out the logon session (potentially).
//
Status = NtOpenThreadToken( NtCurrentThread(), TOKEN_QUERY, TRUE, &hToken );
RevertToSelf();
if ( !NT_SUCCESS( Status ) ) { return Status ; }
//
// Grovel the token, and build up a list of groups that we will use for
// the new token. Only non-builtin groups will be used.
//
TokenInfo = (PLSA_TOKEN_INFORMATION_V1) LsapAllocateLsaHeap( sizeof( LSA_TOKEN_INFORMATION_V1) );
if ( !TokenInfo ) { Status = STATUS_NO_MEMORY ;
goto Clone_Exit ; }
Status = NtQueryInformationToken( hToken, TokenStatistics, &TokenStats, sizeof( TokenStats ), &Size );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
TokenInfo->ExpirationTime = TokenStats.ExpirationTime ;
User = (PTOKEN_USER) SmallBuffer ; Size = sizeof( SmallBuffer );
Status = NtQueryInformationToken( hToken, TokenUser, User, Size, &Size );
if ( ( Status == STATUS_BUFFER_OVERFLOW ) || ( Status == STATUS_BUFFER_TOO_SMALL ) ) { SafeAllocaAllocate(User, Size);
if ( User ) { Status = NtQueryInformationToken( hToken, TokenUser, User, Size, &Size ); } else { Status = STATUS_NO_MEMORY ; }
}
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
TokenInfo->User.User.Attributes = 0 ; TokenInfo->User.User.Sid = LsapAllocateLsaHeap( RtlLengthSid( User->User.Sid ) );
if ( TokenInfo->User.User.Sid ) { RtlCopyMemory( TokenInfo->User.User.Sid, User->User.Sid, RtlLengthSid( User->User.Sid ) ); } else { Status = STATUS_NO_MEMORY ;
goto Clone_Exit ; }
if ( User != (PTOKEN_USER) SmallBuffer ) { SafeAllocaFree( User ); }
User = NULL ;
Status = NtQueryInformationToken( hToken, TokenGroups, NULL, 0, &Size );
if ( ( Status != STATUS_BUFFER_OVERFLOW ) && ( Status != STATUS_BUFFER_TOO_SMALL ) ) { goto Clone_Exit ; }
SafeAllocaAllocate(Groups, Size);
if ( !Groups ) { Status = STATUS_NO_MEMORY ;
goto Clone_Exit ; }
Status = NtQueryInformationToken( hToken, TokenGroups, Groups, Size, &Size );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
//
// Grovel through the group list, and ditch those we don't care about.
// i always travels ahead of j. Skip groups that have one or two RIDs,
// because those are the builtin ones.
//
FinalGroups = (PTOKEN_GROUPS) LsapAllocatePrivateHeap( sizeof( TOKEN_GROUPS ) + Groups->GroupCount * sizeof( SID_AND_ATTRIBUTES ) );
if ( !FinalGroups ) { goto Clone_Exit ; }
//
// Don't filter out groups for tokens where the LSA has hardcoded info on
// how to build the token. If we filter in those cases, we strip out SIDs
// that won't be replaced by the LSA policy/filter routines later on.
//
fFilterGroups = !RtlEqualLuid(&TokenStats.AuthenticationId, &LocalSystemLuid) && !RtlEqualLuid(&TokenStats.AuthenticationId, &LocalServiceLuid) && !RtlEqualLuid(&TokenStats.AuthenticationId, &NetworkServiceLuid);
for ( i = 0, j = 0 ; i < Groups->GroupCount ; i++ ) { if ( !fFilterGroups || *RtlSubAuthorityCountSid( Groups->Groups[ i ].Sid ) > 2 ) { FinalGroups->Groups[ j ].Attributes = Groups->Groups[ i ].Attributes ; Status = LsapDuplicateSid2( &FinalGroups->Groups[ j ].Sid, Groups->Groups[ i ].Sid ); j++ ;
if( !NT_SUCCESS(Status) ) { break; } } }
FinalGroups->GroupCount = j ;
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
//
// whew. Set this in the token info, and null out the other pointer
// so we don't free it inadvertantly.
//
TokenInfo->Groups = FinalGroups ;
FinalGroups = NULL ;
//
// Determine the primary group:
//
PrimaryGroup = (PTOKEN_PRIMARY_GROUP) SmallBuffer ; Size = sizeof( SmallBuffer );
Status = NtQueryInformationToken( hToken, TokenPrimaryGroup, PrimaryGroup, Size, &Size );
if ( ( Status == STATUS_BUFFER_OVERFLOW ) || ( Status == STATUS_BUFFER_TOO_SMALL ) ) { SafeAllocaAllocate(PrimaryGroup, Size);
Status = NtQueryInformationToken( hToken, TokenPrimaryGroup, PrimaryGroup, Size, &Size ); }
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
TokenInfo->PrimaryGroup.PrimaryGroup = LsapAllocateLsaHeap(RtlLengthSid(PrimaryGroup->PrimaryGroup));
if ( TokenInfo->PrimaryGroup.PrimaryGroup ) { RtlCopyMemory( TokenInfo->PrimaryGroup.PrimaryGroup, PrimaryGroup->PrimaryGroup, RtlLengthSid( PrimaryGroup->PrimaryGroup ) ); } else { Status = STATUS_NO_MEMORY ;
goto Clone_Exit ; }
if ( PrimaryGroup != (PTOKEN_PRIMARY_GROUP) SmallBuffer ) { SafeAllocaFree(PrimaryGroup); }
PrimaryGroup = NULL ;
//
// Almost there -- now dupe the privileges.
//
TokenInfo->Privileges = NULL ;
Size = 0;
Status = NtQueryInformationToken( hToken, TokenPrivileges, TokenInfo->Privileges, Size, &Size );
if ( ( Status == STATUS_BUFFER_OVERFLOW ) || ( Status == STATUS_BUFFER_TOO_SMALL ) ) { TokenInfo->Privileges = (PTOKEN_PRIVILEGES) LsapAllocateLsaHeap(Size);
if (TokenInfo->Privileges == NULL) { Status = STATUS_NO_MEMORY; } else { Status = NtQueryInformationToken( hToken, TokenPrivileges, TokenInfo->Privileges, Size, &Size); } }
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
//
// Ok, we have completed the Token Information. Now, we need to parse
// the supplied buffer to come up with creds for the other packages, since
// that's what this is all about
//
Status = NegpMapLogonRequest( ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferSize, &Authentication );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
//
// Stuff the names:
//
*AccountName = (PUNICODE_STRING) LsapAllocateLsaHeap( sizeof( UNICODE_STRING ) );
if ( ! ( *AccountName ) ) { Status = STATUS_NO_MEMORY ;
goto Clone_Exit ; }
*AuthenticatingAuthority = (PUNICODE_STRING) LsapAllocateLsaHeap( sizeof( UNICODE_STRING ) );
if ( ! ( *AuthenticatingAuthority ) ) { Status = STATUS_NO_MEMORY ;
goto Clone_Exit ; }
*MachineName = (PUNICODE_STRING) LsapAllocateLsaHeap( sizeof( UNICODE_STRING ) );
if ( ! ( *MachineName ) ) { Status = STATUS_NO_MEMORY ;
goto Clone_Exit ; }
//
// Tokens that the LSA normally constructs (SYSTEM, LocalService, NetworkService)
// have special names for returned as part of SID --> name lookups that don't
// necessarily match what's in the token as the account/authority names. Cruft
// up the new token with these special names instead of the standard ones.
//
if (fFilterGroups) { Status = LsapGetLogonSessionAccountInfo( &TokenStats.AuthenticationId, (*AccountName), (*AuthenticatingAuthority) ); } else { LSAP_WELL_KNOWN_SID_INDEX dwIndex = LsapLocalSystemSidIndex;
if (RtlEqualLuid(&TokenStats.AuthenticationId, &LocalServiceLuid)) { dwIndex = LsapLocalServiceSidIndex; } else if (RtlEqualLuid(&TokenStats.AuthenticationId, &NetworkServiceLuid)) { dwIndex = LsapNetworkServiceSidIndex; }
Status = LsapDuplicateString(*AccountName, LsapDbWellKnownSidName(dwIndex));
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
Status = LsapDuplicateString(*AuthenticatingAuthority, LsapDbWellKnownSidDescription(dwIndex)); }
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
//
// Construct the credential data to pass on to the other packages:
//
Status = LsapDuplicateString( &PrimaryCredentials->DomainName, &Authentication->LogonDomainName );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
Status = LsapDuplicateString( &PrimaryCredentials->DownlevelName, &Authentication->UserName );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
Status = LsapDuplicateString( &PrimaryCredentials->Password, &Authentication->Password );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
Status = LsapDuplicateSid( &PrimaryCredentials->UserSid, TokenInfo->User.User.Sid );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
PrimaryCredentials->Flags = PRIMARY_CRED_CLEAR_PASSWORD ;
//
// Let the LSA do the rest:
//
NtAllocateLocallyUniqueId( &LogonId );
Status = LsapCreateLogonSession( &LogonId );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
//
// save away username and domainname for auditing
//
LogonSession = LsapLocateLogonSession( &LogonId );
if (LogonSession == NULL) { ASSERT(LogonSession != NULL); Status = STATUS_NO_SUCH_LOGON_SESSION; goto Clone_Exit; }
Status = LsapDuplicateString( &LogonSession->NewAuthorityName, &Authentication->LogonDomainName );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
Status = LsapDuplicateString( &LogonSession->NewAccountName, &Authentication->UserName );
if ( !NT_SUCCESS( Status ) ) { goto Clone_Exit ; }
NegLogonSession = NegpBuildLogonSession( &LogonId, NegPackageId, NegPackageId );
if ( !NegLogonSession ) { Status = STATUS_NO_MEMORY ; goto Clone_Exit; }
AltName = (PWSTR) LsapAllocatePrivateHeap( Authentication->UserName.Length + Authentication->LogonDomainName.Length + 2 * sizeof( WCHAR ) );
if ( AltName ) { AltNameScan = AltName ; RtlCopyMemory( AltNameScan, Authentication->LogonDomainName.Buffer, Authentication->LogonDomainName.Length );
AltNameScan += Authentication->LogonDomainName.Length / sizeof(WCHAR) ;
*AltNameScan++ = L'\\';
RtlCopyMemory( AltNameScan, Authentication->UserName.Buffer, Authentication->UserName.Length );
AltNameScan += Authentication->UserName.Length / sizeof( WCHAR ) ;
*AltNameScan++ = L'\0';
RtlInitUnicodeString( &NegLogonSession->AlternateName, AltName ); }
NegLogonSession->ParentLogonId = TokenStats.AuthenticationId ;
NegpDerefLogonSession( NegLogonSession );
PrimaryCredentials->LogonId = LogonId ;
*ProfileBuffer = NULL ;
*ProfileBufferLength = 0 ;
*NewLogonId = LogonId ;
*ApiSubStatus = STATUS_SUCCESS ;
*TokenInformationType = LsaTokenInformationV1 ;
*TokenInformation = TokenInfo ;
TokenInfo = NULL ;
*CachedCredentials = NULL ;
Clone_Exit:
SafeAllocaFree(Groups);
if ( FinalGroups ) { LsapFreeTokenGroups( FinalGroups ); }
if ( TokenInfo ) { if ( TokenInfo->User.User.Sid ) { LsapFreeLsaHeap( TokenInfo->User.User.Sid ); }
if ( TokenInfo->Groups ) { LsapFreeTokenGroups( TokenInfo->Groups ); }
if ( TokenInfo->Privileges ) { LsapFreeLsaHeap( TokenInfo->Privileges ); }
LsapFreeLsaHeap( TokenInfo ); }
if (User != (PTOKEN_USER) SmallBuffer) { SafeAllocaFree(User); }
if ( PrimaryGroup != (PTOKEN_PRIMARY_GROUP) SmallBuffer ) { SafeAllocaFree(PrimaryGroup); }
if ( hToken != NULL ) { NtClose( hToken ); }
if ( !NT_SUCCESS( Status ) ) { if ( *AuthenticatingAuthority ) { if ( (*AuthenticatingAuthority)->Buffer ) { LsapFreeLsaHeap( (*AuthenticatingAuthority)->Buffer ); }
LsapFreeLsaHeap( *AuthenticatingAuthority ); *AuthenticatingAuthority = NULL; }
if ( *AccountName ) { if ( (*AccountName)->Buffer ) { LsapFreeLsaHeap( (*AccountName)->Buffer ); }
LsapFreeLsaHeap( *AccountName ); *AccountName = NULL; }
if ( *MachineName ) { if ( (*MachineName)->Buffer ) { LsapFreeLsaHeap( (*MachineName)->Buffer ); }
LsapFreeLsaHeap( *MachineName ); *MachineName = NULL; } }
if (LogonSession) { LsapReleaseLogonSession(LogonSession); }
return Status;}
//+-------------------------------------------------------------------------
//
// Function: NegLogonUserEx2
//
// Synopsis: Handles service, batch, and interactive logons
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSNTAPINegLogonUserEx2( IN PLSA_CLIENT_REQUEST ClientRequest, IN SECURITY_LOGON_TYPE LogonType, IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferSize, OUT PVOID *ProfileBuffer, OUT PULONG ProfileBufferLength, OUT PLUID NewLogonId, OUT PNTSTATUS ApiSubStatus, OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType, OUT PVOID *TokenInformation, OUT PUNICODE_STRING *AccountName, OUT PUNICODE_STRING *AuthenticatingAuthority, OUT PUNICODE_STRING *MachineName, OUT PSECPKG_PRIMARY_CRED PrimaryCredentials, OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials ){ NTSTATUS Status = STATUS_NO_LOGON_SERVERS; PNEG_PACKAGE Package; PVOID LocalSubmitBuffer = ProtocolSubmitBuffer; ULONG_PTR CurrentPackageId = GetCurrentPackageId(); PLSAP_SECURITY_PACKAGE * LogonPackages = NULL; PNEG_LOGON_SESSION LogonSession ; PWSTR AltName, AltNameScan ; NEG_DOMAIN_TYPES DomainType ;
ULONG LogonPackageCount = 0; ULONG Index;
if ( LogonType == NewCredentials ) { ULONG ulTempSize = SubmitBufferSize;
#if _WIN64
Status = NegpConvertWOWInteractiveLogonBuffer(ProtocolSubmitBuffer, ClientBufferBase, &ulTempSize, &LocalSubmitBuffer);
if (!NT_SUCCESS(Status)) { return Status; }
#endif // _WIN64
Status = NegpCloneLogonSession(LocalSubmitBuffer, ClientBufferBase, ulTempSize, ProfileBuffer, ProfileBufferLength, NewLogonId, ApiSubStatus, TokenInformationType, TokenInformation, AccountName, AuthenticatingAuthority, MachineName, PrimaryCredentials, CachedCredentials);
#if _WIN64
if (ProtocolSubmitBuffer != LocalSubmitBuffer) { ZeroMemory(LocalSubmitBuffer, ulTempSize); LsapFreePrivateHeap(LocalSubmitBuffer); }
#endif // _WIN64
return Status; }
//
// Allocate a local copy of the submit buffer so each package can
// mark it up.
//
LocalSubmitBuffer = LsapAllocateLsaHeap(SubmitBufferSize); if (LocalSubmitBuffer == NULL) { return(STATUS_INSUFFICIENT_RESOURCES); }
if ( LogonType == Service ) { ULONG ulAccountId;
//
// Copy the submit buffer for the package to mark up
//
RtlCopyMemory( LocalSubmitBuffer, ProtocolSubmitBuffer, SubmitBufferSize );
if (NegpIsLocalOrNetworkService( LocalSubmitBuffer, ClientBufferBase, SubmitBufferSize, AccountName, AuthenticatingAuthority, MachineName, &ulAccountId)) { Status = NegpMakeServiceToken( ulAccountId, NewLogonId, ProfileBuffer, ProfileBufferLength, ApiSubStatus, TokenInformationType, TokenInformation, AccountName, AuthenticatingAuthority, MachineName, PrimaryCredentials, CachedCredentials );
goto Cleanup; } }
SafeAllocaAllocate(LogonPackages, NegPackageCount * sizeof(PLSAP_SECURITY_PACKAGE));
if (LogonPackages == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
NegReadLockList();
Package = (PNEG_PACKAGE) NegPackageList.Flink ; while ( (PVOID) Package != (PVOID) &NegPackageList ) { if (((Package->LsaPackage->fCapabilities & SECPKG_FLAG_LOGON) != 0) && ((Package->Flags & NEG_PACKAGE_EXTRA_OID ) == 0 ) && (Package->LsaPackage->FunctionTable.LogonUserEx2 != NULL)) { LogonPackages[LogonPackageCount++] = Package->LsaPackage; } Package = (PNEG_PACKAGE) Package->List.Flink ; } NegUnlockList();
for (Index = 0; Index < LogonPackageCount; Index++) {
//
// Cleanup the old audit strings so they don't get leaked
// when the package re-allocates them.
//
if ((*MachineName) != NULL) { if ((*MachineName)->Buffer != NULL) { LsapFreeLsaHeap( (*MachineName)->Buffer ); } LsapFreeLsaHeap( (*MachineName) ); (*MachineName) = NULL; } if ((*AccountName) != NULL) { if ((*AccountName)->Buffer != NULL) { LsapFreeLsaHeap( (*AccountName)->Buffer ); } LsapFreeLsaHeap( (*AccountName) ); (*AccountName) = NULL ; }
if ((*AuthenticatingAuthority) != NULL) { if ((*AuthenticatingAuthority)->Buffer != NULL) { LsapFreeLsaHeap( (*AuthenticatingAuthority)->Buffer ); } LsapFreeLsaHeap( (*AuthenticatingAuthority) ); (*AuthenticatingAuthority) = NULL ; }
//
// Copy the submit buffer for the package to mark up
//
RtlCopyMemory( LocalSubmitBuffer, ProtocolSubmitBuffer, SubmitBufferSize );
SetCurrentPackageId(LogonPackages[Index]->dwPackageID);
Status = LogonPackages[Index]->FunctionTable.LogonUserEx2( ClientRequest, LogonType, LocalSubmitBuffer, ClientBufferBase, SubmitBufferSize, ProfileBuffer, ProfileBufferLength, NewLogonId, ApiSubStatus, TokenInformationType, TokenInformation, AccountName, AuthenticatingAuthority, MachineName, PrimaryCredentials, CachedCredentials ); SetCurrentPackageId(CurrentPackageId);
//
// Bug 226401 If the local machine secret is different from the
// machine account password, kerberos can't decrpyt the workstation
// ticket and returns STATUS_TRUSTED_RELATIONSHIP_FAILURE (used to
// return STATUS_TRUST_FAILURE). If this is a DC, we
// should fall back to NTLM.
//
if (Status == STATUS_TRUST_FAILURE || Status == STATUS_TRUSTED_RELATIONSHIP_FAILURE) { if (NegMachineState & SECPKG_STATE_DOMAIN_CONTROLLER) { Status = STATUS_NO_LOGON_SERVERS; } }
if ((Status != STATUS_NO_LOGON_SERVERS) && (Status != STATUS_NETLOGON_NOT_STARTED) && (Status != SEC_E_NO_AUTHENTICATING_AUTHORITY) && (Status != SEC_E_ETYPE_NOT_SUPP) && (Status != STATUS_KDC_UNKNOWN_ETYPE) && (Status != STATUS_NO_TRUST_SAM_ACCOUNT) && (Status != STATUS_INVALID_PARAMETER) && (Status != STATUS_INVALID_LOGON_TYPE) && (Status != STATUS_INVALID_INFO_CLASS ) && (Status != STATUS_NETWORK_UNREACHABLE) && (Status != STATUS_BAD_VALIDATION_CLASS) ) { break; }
}
if ( NT_SUCCESS( Status ) ) { LogonSession = NegpBuildLogonSession( NewLogonId, LogonPackages[ Index ]->dwPackageID, LogonPackages[ Index ]->dwPackageID );
if ( LogonSession ) { if ( LogonPackages[ Index ]->dwRPCID == NTLMSP_RPCID ) { DebugLog(( DEB_TRACE_NEG, "NTLM Logon\n" ));
//
// Check if this is an uplevel or downlevel domain
//
DomainType = NegpIsUplevelDomain( NewLogonId, LogonType, *AuthenticatingAuthority );
if( DomainType == NegLocalDomain ) { //
// change from Win2k:
// allow full negotiation range by default for local logons.
// Kerberos now quickly fails local account originated operations.
//
LogonSession->DefaultPackage = NegPackageId ; }
if ( DomainType == NegUpLevelDomain ) { if( (LogonType == CachedInteractive) && ((PrimaryCredentials->Flags >> PRIMARY_CRED_LOGON_PACKAGE_SHIFT) == NTLMSP_RPCID) ) { //
// leave the package as NTLM.
//
} else { LogonSession->DefaultPackage = NEG_INVALID_PACKAGE ; } } else if ( DomainType == NegUpLevelTrustedDomain ) { LogonSession->DefaultPackage = NegPackageId ; } else { //
// leave the DefaultPackage as NTLM.
//
NOTHING; }
}
//
// Create the name:
//
AltName = (PWSTR) LsapAllocatePrivateHeap( (*AccountName)->Length + (*AuthenticatingAuthority)->Length + 2 * sizeof( WCHAR ) );
if ( AltName ) { AltNameScan = AltName ; RtlCopyMemory( AltNameScan, (*AuthenticatingAuthority)->Buffer, (*AuthenticatingAuthority)->Length );
AltNameScan += (*AuthenticatingAuthority)->Length / sizeof(WCHAR) ;
*AltNameScan++ = L'\\';
RtlCopyMemory( AltNameScan, (*AccountName)->Buffer, (*AccountName)->Length );
AltNameScan += (*AccountName)->Length / sizeof( WCHAR ) ;
*AltNameScan++ = L'\0';
RtlInitUnicodeString( &LogonSession->AlternateName, AltName ); }
NegpDerefLogonSession( LogonSession ); }
}
Cleanup:
SafeAllocaFree(LogonPackages);
if( LocalSubmitBuffer ) { ZeroMemory(LocalSubmitBuffer, SubmitBufferSize); LsapFreeLsaHeap(LocalSubmitBuffer); }
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: NegpMakeServiceToken
//
// Synopsis: Handles the logon for LocalService and NetworkService
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes: On error, this routine frees the buffers allocated by
// the prior call to NegpIsLocalOrNetworkService
//
//--------------------------------------------------------------------------
NTSTATUSNegpMakeServiceToken( IN ULONG ulAccountId, OUT PLUID pLogonId, OUT PVOID *ProfileBuffer, OUT PULONG ProfileBufferLength, OUT PNTSTATUS ApiSubStatus, OUT PLSA_TOKEN_INFORMATION_TYPE TokenInformationType, OUT PVOID *TokenInformation, OUT PUNICODE_STRING *AccountName, OUT PUNICODE_STRING *AuthenticatingAuthority, OUT PUNICODE_STRING *MachineName, OUT PSECPKG_PRIMARY_CRED PrimaryCredentials, OUT PSECPKG_SUPPLEMENTAL_CRED_ARRAY * CachedCredentials ){ NTSTATUS Status; LPBYTE pBuffer; UINT i; ULONG ulTokenLength = 0; PSID Owner; PSID UserSid; ULONG DaclLength; PACL pDacl; DWORD dwSidLen; HMODULE hStringsResource; LUID SystemId = SYSTEM_LUID;
PTOKEN_GROUPS pGroups; PSID_AND_ATTRIBUTES pSidAndAttrs; TIME_FIELDS TimeFields; SECPKG_CLIENT_INFO ClientInfo; SID_IDENTIFIER_AUTHORITY IdentifierAuthority = SECURITY_NT_AUTHORITY; PLSA_TOKEN_INFORMATION_V2 pTokenInfo = NULL; PLSAP_LOGON_SESSION pLogonSession = NULL; SAMPR_PSID_ARRAY SidArray; SAMPR_SID_INFORMATION SidInfo; PSAMPR_PSID_ARRAY ResourceGroups = NULL;
//
// Don't allow untrusted clients to call this API.
//
Status = LsapGetClientInfo(&ClientInfo);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
if (!RtlEqualLuid(&ClientInfo.LogonId, &SystemId)) { Status = STATUS_ACCESS_DENIED; goto ErrorExit; }
if (ulAccountId == LSAP_SID_NAME_LOCALSERVICE) { LUID LocalServiceId = LOCALSERVICE_LUID; UNICODE_STRING EmptyString = {0, 0, NULL};
UserSid = LsapLocalServiceSid; PrimaryCredentials->LogonId = LocalServiceId; *pLogonId = LocalServiceId;
Status = LsapDuplicateSid(&PrimaryCredentials->UserSid, UserSid);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
Status = LsapDuplicateString(&PrimaryCredentials->DomainName, &EmptyString);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
Status = LsapDuplicateString(&PrimaryCredentials->DownlevelName, &EmptyString);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
Status = LsapDuplicateString(&PrimaryCredentials->Password, &EmptyString);
if (!NT_SUCCESS(Status)) { goto ErrorExit; } } else { LUID NetworkServiceId = NETWORKSERVICE_LUID;
ASSERT( ulAccountId == LSAP_SID_NAME_NETWORKSERVICE );
UserSid = LsapNetworkServiceSid;
RtlEnterCriticalSection(&NegComputerNamesLock);
Status = NegpCopyCredsToBuffer(&NegPrimarySystemCredentials, NULL, PrimaryCredentials, NULL);
RtlLeaveCriticalSection(&NegComputerNamesLock);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
PrimaryCredentials->LogonId = NetworkServiceId; *pLogonId = NetworkServiceId;
Status = LsapDuplicateSid(&PrimaryCredentials->UserSid, UserSid);
if (!NT_SUCCESS(Status)) { goto ErrorExit; } }
*CachedCredentials = NULL;
ASSERT(UserSid != NULL);
//
// Make sure there's a logon session for this account
//
pLogonSession = LsapLocateLogonSession(pLogonId);
if (pLogonSession == NULL) { Status = LsapCreateLogonSession(pLogonId);
pLogonSession = LsapLocateLogonSession(pLogonId);
if( pLogonSession == NULL ) { if (!NT_SUCCESS(Status)) { goto ErrorExit; }
ASSERT(pLogonSession != NULL); Status = STATUS_NO_SUCH_LOGON_SESSION; goto ErrorExit; }
Status = STATUS_SUCCESS; }
//
// Compute the length of the default DACL for the token
//
DaclLength = (ULONG) sizeof(ACL) + 2 * ((ULONG) sizeof(ACCESS_ALLOWED_ACE) - sizeof(ULONG)) + RtlLengthSid( LsapLocalSystemSid ) + RtlLengthSid( UserSid );
//
// Make sure SAM has been opened.
//
Status = LsapAuOpenSam( FALSE );
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
//
// Expand out the account domain group information from the SAM. Builtin
// domain expansion will be done by the LSA's logon filter routines.
//
SidInfo.SidPointer = (PRPC_SID) UserSid; SidArray.Count = 1; SidArray.Sids = &SidInfo;
Status = SamIGetResourceGroupMembershipsTransitive(LsapAccountDomainHandle, &SidArray, 0, &ResourceGroups);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
for (i = 0; i < ResourceGroups->Count; i++) { ulTokenLength += RtlLengthSid(ResourceGroups->Sids[i].SidPointer); }
#define NUM_INHERENT_TOKEN_GROUPS 1
//
// The SIDs are 4-byte aligned so this shouldn't cause problems
// with unaligned accesses (as long as the DACL stays at the
// end of the buffer).
//
ulTokenLength += sizeof(LSA_TOKEN_INFORMATION_V2) + RtlLengthSid( UserSid ) // User
+ sizeof(TOKEN_GROUPS) - sizeof(SID_AND_ATTRIBUTES) + NUM_INHERENT_TOKEN_GROUPS * sizeof(SID_AND_ATTRIBUTES) + ResourceGroups->Count * sizeof(SID_AND_ATTRIBUTES) + RtlLengthSid( UserSid ) // Primary group
+ RtlLengthSid( LsapAliasUsersSid ) + RtlLengthSid( UserSid ) // Owner
+ DaclLength; // DefaultDacl
pTokenInfo = (PLSA_TOKEN_INFORMATION_V2) LsapAllocateLsaHeap(ulTokenLength);
if (pTokenInfo == NULL) { Status = STATUS_NO_MEMORY; goto ErrorExit; }
//
// Set up expiration time
//
TimeFields.Year = 3000; TimeFields.Month = 1; TimeFields.Day = 1; TimeFields.Hour = 1; TimeFields.Minute = 1; TimeFields.Second = 1; TimeFields.Milliseconds = 1; TimeFields.Weekday = 1;
RtlTimeFieldsToTime( &TimeFields, &pTokenInfo->ExpirationTime );
//
// Set up the groups -- do this first so the nested pointers
// don't cause 64-bit alignment faults
//
pGroups = (PTOKEN_GROUPS) (pTokenInfo + 1); pSidAndAttrs = pGroups->Groups; pBuffer = (LPBYTE) (pSidAndAttrs + NUM_INHERENT_TOKEN_GROUPS + ResourceGroups->Count);
pGroups->GroupCount = NUM_INHERENT_TOKEN_GROUPS + ResourceGroups->Count;
//
// Add the Inherent token groups
//
// Add the Users alias because of a timing window after a DC demote. The SCE makes
// Authenticated Users a member of the Users alias on the first boot after the DC demote.
// However, by that time, the local service token will already have been created.
// Unfortunately, except for that timing window, the following code results in a duplicate
// Users alias sid being in the token.
//
dwSidLen = RtlLengthSid(LsapAliasUsersSid); RtlCopySid(dwSidLen, pBuffer, LsapAliasUsersSid); pSidAndAttrs[0].Sid = (PSID) pBuffer; pBuffer += dwSidLen; pSidAndAttrs[0].Attributes = (SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED);
//
// Add the resource groups
//
for (i = 0; i < ResourceGroups->Count; i++) { dwSidLen = RtlLengthSid(ResourceGroups->Sids[i].SidPointer); RtlCopySid(dwSidLen, pBuffer, ResourceGroups->Sids[i].SidPointer);
pSidAndAttrs[i+NUM_INHERENT_TOKEN_GROUPS].Sid = (PSID) pBuffer; pSidAndAttrs[i+NUM_INHERENT_TOKEN_GROUPS].Attributes = (SE_GROUP_MANDATORY | SE_GROUP_ENABLED_BY_DEFAULT | SE_GROUP_ENABLED);
pBuffer += dwSidLen; }
#undef NUM_INHERENT_TOKEN_GROUPS
SamIFreeSidArray(ResourceGroups); ResourceGroups = NULL;
pTokenInfo->Groups = pGroups;
//
// Set up the user ID
//
dwSidLen = RtlLengthSid(UserSid); RtlCopySid(dwSidLen, (PSID) pBuffer, UserSid); pTokenInfo->User.User.Sid = (PSID) pBuffer; pTokenInfo->User.User.Attributes = 0; pBuffer += dwSidLen;
//
// Establish the primary group
//
dwSidLen = RtlLengthSid(UserSid); RtlCopySid(dwSidLen, (PSID) pBuffer, UserSid); pTokenInfo->PrimaryGroup.PrimaryGroup = (PSID) pBuffer; pBuffer += dwSidLen;
//
// Set the default owner
//
dwSidLen = RtlLengthSid(UserSid); RtlCopySid(dwSidLen, (PSID) pBuffer, UserSid); pTokenInfo->Owner.Owner = (PSID) pBuffer; pBuffer += dwSidLen;
//
// Privileges -- none by default (set by policy)
//
pTokenInfo->Privileges = NULL;
//
// Set up the default DACL for token. Give system full reign of terror.
//
pDacl = (PACL) pBuffer;
Status = RtlCreateAcl(pDacl, DaclLength, ACL_REVISION2); ASSERT( NT_SUCCESS(Status) );
Status = RtlAddAccessAllowedAce(pDacl, ACL_REVISION2, GENERIC_ALL, LsapLocalSystemSid);
ASSERT( NT_SUCCESS(Status) );
Status = RtlAddAccessAllowedAce(pDacl, ACL_REVISION2, GENERIC_ALL, UserSid);
ASSERT( NT_SUCCESS(Status) );
RtlCopyMemory(pBuffer, pDacl, DaclLength);
pTokenInfo->DefaultDacl.DefaultDacl = (PACL) pBuffer;
pBuffer += DaclLength;
ASSERT( (ULONG)(ULONG_PTR)(pBuffer - (LPBYTE) pTokenInfo) == ulTokenLength );
//
// Now fill in the out parameters
//
//
// LocalService/NetworkService have no profile
//
*ProfileBuffer = NULL; *ProfileBufferLength = 0; *TokenInformationType = LsaTokenInformationV2; *TokenInformation = pTokenInfo;
LsapReleaseLogonSession(pLogonSession);
*ApiSubStatus = STATUS_SUCCESS; return STATUS_SUCCESS;
ErrorExit:
if (*AuthenticatingAuthority) { LsapFreeLsaHeap((*AuthenticatingAuthority)->Buffer); LsapFreeLsaHeap(*AuthenticatingAuthority); *AuthenticatingAuthority = NULL; }
if (*AccountName) { LsapFreeLsaHeap((*AccountName)->Buffer); LsapFreeLsaHeap(*AccountName); *AccountName = NULL; }
if (*MachineName) { LsapFreeLsaHeap((*MachineName)->Buffer); LsapFreeLsaHeap(*MachineName); *MachineName = NULL; }
LsapFreeLsaHeap(PrimaryCredentials->UserSid); PrimaryCredentials->UserSid = NULL;
LsapFreeLsaHeap(PrimaryCredentials->DomainName.Buffer); RtlZeroMemory(&PrimaryCredentials->DomainName, sizeof(UNICODE_STRING));
LsapFreeLsaHeap(PrimaryCredentials->DownlevelName.Buffer); RtlZeroMemory(&PrimaryCredentials->DownlevelName, sizeof(UNICODE_STRING));
LsapFreeLsaHeap(PrimaryCredentials->Password.Buffer); RtlZeroMemory(&PrimaryCredentials->Password, sizeof(UNICODE_STRING));
SamIFreeSidArray(ResourceGroups);
if (pLogonSession) { LsapReleaseLogonSession(pLogonSession); }
LsapFreeLsaHeap(pTokenInfo);
*ApiSubStatus = Status; return Status;}
//+-------------------------------------------------------------------------
//
// Function: NegpIsLocalOrNetworkService
//
// Synopsis: Allocates memory for the account name, machine name,
// and authenticating authority for LocalService and
// NetworkService logons
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes: The caller is responsible for freeing the allocated
// buffers if this routine succeeds
//
//--------------------------------------------------------------------------
BOOLNegpIsLocalOrNetworkService( IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN ULONG SubmitBufferSize, OUT PUNICODE_STRING *AccountName, OUT PUNICODE_STRING *AuthenticatingAuthority, OUT PUNICODE_STRING *MachineName, OUT PULONG pulAccountId ){ NTSTATUS Status;
PUNICODE_STRING pTempAccount; PUNICODE_STRING pTempAuthority;
PMSV1_0_INTERACTIVE_LOGON Authentication = NULL;
*AccountName = NULL; *AuthenticatingAuthority = NULL; *MachineName = NULL;
//
// Parse the supplied buffer to come up with creds
//
Status = NegpMapLogonRequest( ProtocolSubmitBuffer, ClientBufferBase, SubmitBufferSize, &Authentication);
if (!NT_SUCCESS(Status)) { goto ErrorExit ; }
//
// Get the info to compare for LocalService first. Check both the
// localized version and the non-localized version (which could come
// from the registry).
//
pTempAuthority = &WellKnownSids[LsapLocalServiceSidIndex].DomainName; pTempAccount = &WellKnownSids[LsapLocalServiceSidIndex].Name;
if (RtlCompareUnicodeString(&NTAuthorityName, &Authentication->LogonDomainName, TRUE) == 0) { //
// Hardcoded "NT AUTHORITY" -- check hardcoded
// "LocalService" and "NetworkService" and
// localize it here on a match.
//
if (RtlCompareUnicodeString(&LocalServiceName, &Authentication->UserName, TRUE) == 0) { pTempAccount = &WellKnownSids[LsapLocalServiceSidIndex].Name; *pulAccountId = LSAP_SID_NAME_LOCALSERVICE; Status = STATUS_SUCCESS; } else if (RtlCompareUnicodeString(&NetworkServiceName, &Authentication->UserName, TRUE) == 0) { pTempAccount = &WellKnownSids[LsapNetworkServiceSidIndex].Name; *pulAccountId = LSAP_SID_NAME_NETWORKSERVICE; Status = STATUS_SUCCESS; } else { Status = STATUS_NO_SUCH_USER; } } else { Status = STATUS_NO_SUCH_USER; }
//
// Hardcoded comparison failed -- try localized versions. Note that
// we have to check again (rather than using an "else" with the "if"
// above) since "NT AUTHORITY" may be both the hardcoded and the
// localized name (e.g., in English). Since Status is already a
// failure code, let the failure cases trickle through.
//
if (!NT_SUCCESS(Status)) { if (RtlCompareUnicodeString(pTempAuthority, &Authentication->LogonDomainName, TRUE) == 0) { //
// Localized "NT AUTHORITY" -- check localized
// "LocalService" and "NetworkService"
//
pTempAccount = &WellKnownSids[LsapLocalServiceSidIndex].Name;
if (RtlCompareUnicodeString(pTempAccount, &Authentication->UserName, TRUE) == 0) { *pulAccountId = LSAP_SID_NAME_LOCALSERVICE; Status = STATUS_SUCCESS; } else { pTempAccount = &WellKnownSids[LsapNetworkServiceSidIndex].Name;
if (RtlCompareUnicodeString(pTempAccount, &Authentication->UserName, TRUE) == 0) { *pulAccountId = LSAP_SID_NAME_NETWORKSERVICE; Status = STATUS_SUCCESS; } else { Status = STATUS_NO_SUCH_USER; } } } else { Status = STATUS_NO_SUCH_USER; } }
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
//
// Stuff the names:
//
*AccountName = (PUNICODE_STRING) LsapAllocateLsaHeap(sizeof(UNICODE_STRING));
if (!(*AccountName)) { Status = STATUS_NO_MEMORY; goto ErrorExit; }
Status = LsapDuplicateString(*AccountName, pTempAccount);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
*AuthenticatingAuthority = (PUNICODE_STRING) LsapAllocateLsaHeap(sizeof(UNICODE_STRING));
if (!(*AuthenticatingAuthority)) { Status = STATUS_NO_MEMORY; goto ErrorExit; }
Status = LsapDuplicateString(*AuthenticatingAuthority, pTempAuthority);
if (!NT_SUCCESS(Status)) { goto ErrorExit; }
*MachineName = (PUNICODE_STRING) LsapAllocateLsaHeap(sizeof(UNICODE_STRING));
if (!(*MachineName)) { Status = STATUS_NO_MEMORY; goto ErrorExit ; }
return TRUE;
ErrorExit:
if (*AuthenticatingAuthority) { LsapFreeLsaHeap((*AuthenticatingAuthority)->Buffer); LsapFreeLsaHeap(*AuthenticatingAuthority); *AuthenticatingAuthority = NULL; }
if (*AccountName) { LsapFreeLsaHeap((*AccountName)->Buffer); LsapFreeLsaHeap(*AccountName); *AccountName = NULL; }
if (*MachineName) { LsapFreeLsaHeap((*MachineName)->Buffer); LsapFreeLsaHeap(*MachineName); *MachineName = NULL; }
return FALSE;}
BOOLNegpRearrangeMechsIfNeccessary( struct MechTypeList ** RealMechList, PSECURITY_STRING Target, PBOOL DirectPacket ){ PWSTR FirstSlash ; PWSTR SecondSlash = NULL; PNEG_TRUST_LIST TrustList = NULL ; UNICODE_STRING TargetHost ; UNICODE_STRING SpnPrefix; UNICODE_STRING HttpPrefix; struct MechTypeList * MechList ; struct MechTypeList * Reorder = NULL ; struct MechTypeList * Trailer ; BOOL Rearranged = FALSE ; BOOL HttpSpn = FALSE; BOOLEAN PortInstance = FALSE;
if ( Target == NULL ) { DebugLog(( DEB_TRACE_NEG, "Loopback detected for local target (no targetname)\n")); goto loopback; }
if ( Target->Length == 0 ) { DebugLog(( DEB_TRACE_NEG, "Loopback detected for local target (no targetname)\n")); goto loopback; }
//
// Now, examine the target and determine if it is referring to us
//
FirstSlash = wcschr( Target->Buffer, L'/' );
if ( !FirstSlash ) { //
// Not an SPN, we're out of here
//
return FALSE ; } else {
*FirstSlash = L'\0';
}
//
// HACK HACK HACK: We've got to call NTLM directly in
// the loopback case, or Wininet can't handle our "extra" nego trips....
//
RtlInitUnicodeString( &SpnPrefix, Target->Buffer );
RtlInitUnicodeString( &HttpPrefix, L"HTTP" );
if (RtlEqualUnicodeString( &SpnPrefix, &HttpPrefix, TRUE )) { HttpSpn = TRUE; DebugLog((DEB_TRACE_NEG, "Found HTTP SPN, about to force NTLM directly\n")); }
*FirstSlash = L'/'; // END HACK END HACK
FirstSlash++ ;
//
// if this is a svc/instance:port/domain style SPN, ignore the trailer
// portion
// trailer portion can be a port, domain, or both.
// the port instance will occur first...
//
SecondSlash = wcschr( FirstSlash, L':' );
if ( SecondSlash ) { //
// found a port instance.
//
*SecondSlash = L'\0'; PortInstance = TRUE;
} else {
//
// look for a realm/domain instance!
//
SecondSlash = wcschr( FirstSlash, L'/' );
if ( SecondSlash ) { *SecondSlash = L'\0'; } }
RtlInitUnicodeString( &TargetHost, FirstSlash );
NegReadLockComputerNames();
if (!RtlEqualUnicodeString( &TargetHost, &NegDnsComputerName_U, TRUE ) && !RtlEqualUnicodeString( &TargetHost, &NegNetbiosComputerName_U, TRUE ) && !RtlEqualUnicodeString( &TargetHost, &NegLocalHostName_U, TRUE ) ) { NegUnlockComputerNames(); goto Cleanup ; }
NegUnlockComputerNames();
//
// We have a loopback condition. The target we are going to is our own host
// name. So, scan through the mech list, and find the NTLM mech (if present)
// and bump it up.
//
#if DBG
if ( SecondSlash ) { //
// for debug builds, reset the string now for the dump message, so that
// we can make sure the right targets are being caught. Free builds will
// reset this at the cleanup stage.
//
*SecondSlash = L'/'; SecondSlash = NULL ; }#endif
DebugLog(( DEB_TRACE_NEG, "Loopback detected for target %ws\n", Target->Buffer ));
loopback:
MechList = *RealMechList ; Trailer = NULL ;
while ( MechList ) { if ( (MechList->value != NULL) && (NegpCompareOid( MechList->value, NegNtlmMechOid ) == 0) ) { //
// Found NTLM. Unlink it and put it at the head of the new list
//
Reorder = MechList ; if ( Trailer ) { Trailer->next = MechList->next ; } else { // update original pointer
*RealMechList = MechList->next ; } MechList = MechList->next ; Reorder->next = NULL ; } else { Trailer = MechList ; MechList = MechList->next ; }
}
//
// Reorder points to the NTLM element, if there are NTLM creds. If not, this is NULL.
// Now, append the rest of the list
//
if ( Reorder ) { Reorder->next = *RealMechList ; *RealMechList = Reorder ; Rearranged = TRUE ; }
// Only set this if everything else went well
// HACK PART 2
*DirectPacket = HttpSpn;
Cleanup:
if ( SecondSlash ) { if ( !PortInstance ) { *SecondSlash = L'/'; } else { *SecondSlash = L':'; } }
return Rearranged ;
}
#ifdef _WIN64
//
// WOW structure definitions
//
typedef UNICODE_STRING32 UNICODE_STRING_WOW64;typedef UNICODE_STRING_WOW64 *PUNICODE_STRING_WOW64;
typedef struct _MSV1_0_INTERACTIVE_LOGON_WOW64 { MSV1_0_LOGON_SUBMIT_TYPE MessageType; UNICODE_STRING_WOW64 LogonDomainName; UNICODE_STRING_WOW64 UserName; UNICODE_STRING_WOW64 Password;} MSV1_0_INTERACTIVE_LOGON_WOW64, *PMSV1_0_INTERACTIVE_LOGON_WOW64;
//
// Useful macros to thunk WOW structures to native structures
//
#define RELOCATE_WOW_UNICODE_STRING(WOWString, NativeString, Offset) \
NativeString.Length = WOWString.Length; \ NativeString.MaximumLength = WOWString.MaximumLength; \ NativeString.Buffer = (LPWSTR) ((LPBYTE) UlongToPtr(WOWString.Buffer) + Offset);
//+-------------------------------------------------------------------------
//
// Function: NegpConvertWOWInteractiveLogonBuffer
//
// Synopsis: Converts logon buffers passed in from WOW clients to 64-bit
//
// Effects:
//
// Arguments: ProtocolSubmitBuffer -- original 32-bit logon buffer
// pSubmitBufferSize -- size of the 32-bit logon buffer
// MessageType -- format of the logon buffer
// ppTempSubmitBuffer -- filled in with the converted buffer
//
// Requires:
//
// Returns:
//
// Notes: This routine allocates the converted buffer and returns it
// on success. It is the caller's responsibility to free it
// iff the returned OUT buffer is different from the original
// IN buffer (since native calls return the buffer untouched).
//
//--------------------------------------------------------------------------
NTSTATUSNegpConvertWOWInteractiveLogonBuffer( IN PVOID ProtocolSubmitBuffer, IN PVOID ClientBufferBase, IN OUT PULONG pSubmitBufferSize, OUT PVOID *ppTempSubmitBuffer ){ NTSTATUS Status; PVOID pTempBuffer = NULL; ULONG dwBufferSize = *pSubmitBufferSize;
SECPKG_CALL_INFO CallInfo; PMSV1_0_INTERACTIVE_LOGON Logon; PMSV1_0_INTERACTIVE_LOGON_WOW64 LogonWOW; DWORD dwOffset; DWORD dwWOWOffset;
//
// Pacify the compiler
//
UNREFERENCED_PARAMETER(ClientBufferBase);
Status = LsapGetCallInfo(&CallInfo);
if (!NT_SUCCESS(Status)) { return Status; }
if ((CallInfo.Attributes & SECPKG_CALL_WOWCLIENT) == 0) { //
// Native 64-bit call -- no thunking required.
//
*ppTempSubmitBuffer = ProtocolSubmitBuffer; return STATUS_SUCCESS; }
//
// Scale up the size
//
dwBufferSize += sizeof(MSV1_0_INTERACTIVE_LOGON) - sizeof(MSV1_0_INTERACTIVE_LOGON_WOW64);
if (dwBufferSize < sizeof(MSV1_0_INTERACTIVE_LOGON)) { Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
pTempBuffer = LsapAllocatePrivateHeap(dwBufferSize);
if (pTempBuffer == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
Logon = (PMSV1_0_INTERACTIVE_LOGON) pTempBuffer; LogonWOW = (PMSV1_0_INTERACTIVE_LOGON_WOW64) ProtocolSubmitBuffer;
Logon->MessageType = LogonWOW->MessageType;
dwOffset = sizeof(MSV1_0_INTERACTIVE_LOGON); dwWOWOffset = sizeof(MSV1_0_INTERACTIVE_LOGON_WOW64);
//
// Copy the variable-length data
//
RtlCopyMemory((LPBYTE) Logon + dwOffset, (LPBYTE) LogonWOW + dwWOWOffset, *pSubmitBufferSize - dwWOWOffset);
//
// Set up the pointers in the native struct
//
RELOCATE_WOW_UNICODE_STRING(LogonWOW->LogonDomainName, Logon->LogonDomainName, dwOffset - dwWOWOffset);
RELOCATE_WOW_UNICODE_STRING(LogonWOW->UserName, Logon->UserName, dwOffset - dwWOWOffset);
RELOCATE_WOW_UNICODE_STRING(LogonWOW->Password, Logon->Password, dwOffset - dwWOWOffset);
*pSubmitBufferSize = dwBufferSize; *ppTempSubmitBuffer = pTempBuffer;
return STATUS_SUCCESS;
Cleanup:
if (pTempBuffer) { LsapFreePrivateHeap(pTempBuffer); }
return Status;}
#endif // _WIN64
|
