|
|
//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 1992 - 1996
//
// File: ctxtapi.cxx
//
// Contents: Context APIs for Kerberos package
//
//
// History: 16-April-1996 Created MikeSw
// 26-Sep-1998 ChandanS
// Added more debugging support etc.
//
//------------------------------------------------------------------------
#include <kerb.hxx>
#include <kerbp.h>
#include "kerbevt.h"
#include <gssapip.h>
#include <krbaudit.h>
#ifdef RETAIL_LOG_SUPPORT
static TCHAR THIS_FILE[]=TEXT(__FILE__);#endif
UNICODE_STRING KerbTargetPrefix = {sizeof(L"krb5://")-sizeof(WCHAR),sizeof(L"krb5://"),L"krb5://" };
#ifdef DBG
LONG Audits = 0;LONG Token = 0;#endif
#define FILENO FILENO_CTXTAPI
//+-------------------------------------------------------------------------
//
// Function: SpDeleteContext
//
// Synopsis: Deletes a Kerberos context
//
// Effects:
//
// Arguments: ContextHandle - The context to delete
//
// Requires:
//
// Returns: STATUS_SUCCESS or STATUS_INVALID_HANDLE
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPISpDeleteContext( IN LSA_SEC_HANDLE ContextHandle ){ NTSTATUS Status; PKERB_CONTEXT Context; KERB_CONTEXT_STATE ContextState; ULONG ClientProcess = 0;
D_DebugLog((DEB_TRACE_API,"SpDeleteContext 0x%x called\n",ContextHandle));
if (!KerbGlobalInitialized) { Status = STATUS_INVALID_SERVER_STATE; Context = NULL; goto Cleanup; }
Status = KerbReferenceContext( ContextHandle, TRUE, // unlink handle
&Context );
if (Context == NULL) { D_DebugLog((DEB_ERROR,"SpDeleteContext: Context 0x%x not located. %ws, line %d\n",ContextHandle, THIS_FILE, __LINE__)); goto Cleanup; }
#ifndef WIN32_CHICAGO
KerbReadLockContexts();
// Need to copy out the context data else we'll end up holding the lock
// for too long a time.
//
ContextState = Context->ContextState;
ClientProcess = Context->ClientProcess; KerbUnlockContexts();
// If this was a context that was dropped in the middle,
// audit it as a logon failure.
//
if (ContextState == ApReplySentState) { LsaFunctions->AuditLogon( STATUS_UNFINISHED_CONTEXT_DELETED, STATUS_SUCCESS, &Context->ClientName, &Context->ClientRealm, NULL, // no workstation
Context->UserSid, Network, &KerberosSource, &Context->LogonId ); }#endif // WIN32_CHICAGO
//
// Now dereference the Context. If nobody else is using this Context
// currently it will be freed.
//
KerbDereferenceContext(Context); Status = STATUS_SUCCESS;
Cleanup:
D_DebugLog((DEB_TRACE_LEAKS,"SpDeleteContext returned 0x%x, Context 0x%x, Pid 0x%x\n",KerbMapKerbNtStatusToNtStatus(Status), Context, ClientProcess)); D_DebugLog((DEB_TRACE_API, "SpDeleteContext returned 0x%x\n", KerbMapKerbNtStatusToNtStatus(Status))); return(KerbMapKerbNtStatusToNtStatus(Status));}
//+-------------------------------------------------------------------------
//
// Function: KerbProcessTargetNames
//
// Synopsis: Takes the target names from both the negotiate hint and
// supplied by the caller and creates the real Kerberos target
// name.
//
// Effects:
//
// Arguments: TargetName - supplies the name passed in the TargetName
// parameter of InitializeSecurityContext.
// SuppTargetName - If present, an alternate name passed in
// a security token.
// Flags - flags to use when cracking a name. May be:
// KERB_CRACK_NAME_USE_WKSTA_REALM - if no realm can be
// determined, use the realm of the wksta
// KERB_CRACK_NAME_REALM_SUPPLIED - the caller has the
// realm name, so treat "@" in the name as a normal
// character, not a spacer.
// UseSpnRealmSupplied - If the target name was an spn and it
// contained a realm, it's set to TRUE
// FinalTarget - The processed name. Must be freed with KerbFreeKdcName.
// TargetRealm - If the name contains a realm portions, this is
// the realm. Should be freed using KerbFreeString.
//
//
// Requires:
//
// Returns:
//
// Notes: If the name has an "@" in it, it is converted into a standard
// Kerberos V5 name - everything after the "@" is put in the
// realm field, and everything before the @ is separted at the
// "/" characters into different pieces of the name. Depending
// on the number of pieces, it is passed as a KRB_NT_PRINCIPAL (1)
// or KRB_NT_SRV_INSTANCE (2), or KRB_NT_SRV_XHST (3+)
//
// If the name has an "\" in it, it is assumed to be an NT4
// name & put as is into a KRB_NT_MS_PRINCIPAL_NAME name
//
// If the name has neither a "\" or a "@" or a "/", it is
// assumed to be a simple name & passed as KRB_NT_PRINCIPAL
// in the caller's domain.
//
//
//
//--------------------------------------------------------------------------
#ifdef later
#define KERB_LOCALHOST_NAME L"localhost"
#endif
NTSTATUSKerbProcessTargetNames( IN PUNICODE_STRING TargetName, IN OPTIONAL PUNICODE_STRING SuppTargetName, IN ULONG Flags, IN OUT PULONG ProcessFlags, OUT PKERB_INTERNAL_NAME * FinalTarget, OUT PUNICODE_STRING TargetRealm, OUT OPTIONAL PKERB_SPN_CACHE_ENTRY * SpnCacheEntry ){ NTSTATUS Status = STATUS_SUCCESS; SHORT NameType = 0; PKERB_INTERNAL_NAME OutputName = NULL; USHORT NameParts = 0, ExtraNameParts = 0; ULONG NameLength = 0; USHORT Index, NameIndex; PUNICODE_STRING RealTargetName; UNICODE_STRING CacheTargetRealm = {0}; UNICODE_STRING SuppliedRealm = {0}; UNICODE_STRING FirstNamePart = {0}; PKERB_SPN_CACHE_ENTRY LocalCacheEntry = NULL;#ifdef later
UNICODE_STRING LocalhostName = {0}; BOOLEAN ReplaceLocalhost = FALSE;#endif
BOOLEAN DoneParsing = FALSE; PKERB_MIT_REALM MitRealm; BOOLEAN UsedAlternateName; PUCHAR Where;
*ProcessFlags = 0;
//
// If a supplemental target name was supplied, use it as it is more likely
// to be correct.
//
if (ARGUMENT_PRESENT(SuppTargetName) && (SuppTargetName->Length > 0)) { RealTargetName = SuppTargetName; } else { RealTargetName = TargetName; }
//
// If this is an IP address, we don't handle it so bail now.
//
if (KerbIsIpAddress(RealTargetName)) { D_DebugLog((DEB_ERROR,"Ip address passed as target name: %wZ. Failing InitSecCtxt\n", RealTargetName )); Status = SEC_E_TARGET_UNKNOWN; goto Cleanup; }
#ifdef later
RtlInitUnicodeString( &LocalhostName, KERB_LOCALHOST_NAME );#endif
//
// Initialize the first part of the name to the whole string
//
FirstNamePart.Buffer = RealTargetName->Buffer; FirstNamePart.Length = RealTargetName->Length; FirstNamePart.MaximumLength = FirstNamePart.Length;
//
// Check the characters in the name. Search backwards to front because
// username may have "@" signs in them.
//
for ( Index = (RealTargetName->Length / sizeof(WCHAR)); Index-- > 0; ) { switch(RealTargetName->Buffer[Index]) { case L'@':
//
// If we have a realm name already, ignore this character.
//
if ((Flags & KERB_CRACK_NAME_REALM_SUPPLIED) != 0) { break; }
//
// If we haven't hit any other separators, this is user@domain kind
// of name
//
if (NameType == 0) { NameType = KRB_NT_PRINCIPAL; NameParts++;
SuppliedRealm.Buffer = &RealTargetName->Buffer[Index] + 1; SuppliedRealm.Length = RealTargetName->Length - (Index + 1) * sizeof(WCHAR); SuppliedRealm.MaximumLength = SuppliedRealm.Length;
if (SuppliedRealm.Length == 0) { Status = SEC_E_TARGET_UNKNOWN; goto Cleanup; }
FirstNamePart.Buffer = RealTargetName->Buffer; FirstNamePart.Length = Index * sizeof(WCHAR); FirstNamePart.MaximumLength = FirstNamePart.Length; }// else
// {
// Status = SEC_E_TARGET_UNKNOWN;
// goto Cleanup;
// }
break;
case L'/':
//
// All names that have a '/' separator are KRB_NT_SRV_INST
// If we saw an @before this, we need to do something special.
//
NameType = KRB_NT_SRV_INST; NameParts ++; break;
case L'\\':
//
// If we have a realm name already, ignore this character.
//
if ((Flags & KERB_CRACK_NAME_REALM_SUPPLIED) != 0) { break; }
//
// If we hit a backslash, this is an NT4 style name, so treat it
// as such.
// Just for error checking purposes, make sure that the current
// name type was 0
//
if (NameType != 0) { Status = SEC_E_TARGET_UNKNOWN; goto Cleanup; } NameType = KRB_NT_MS_PRINCIPAL; NameParts = 1; SuppliedRealm.Buffer = RealTargetName->Buffer; SuppliedRealm.Length = Index * sizeof(WCHAR); SuppliedRealm.MaximumLength = SuppliedRealm.Length;
FirstNamePart.Buffer = &RealTargetName->Buffer[Index] + 1; FirstNamePart.Length = RealTargetName->Length - (Index + 1) * sizeof(WCHAR); FirstNamePart.MaximumLength = FirstNamePart.Length;
if (SuppliedRealm.Length == 0 || FirstNamePart.Length == 0) { Status = SEC_E_TARGET_UNKNOWN; goto Cleanup; }
DoneParsing = TRUE;
break;
default: break;
} if (DoneParsing) { break; } }
//
// If we didn't exit early, then we were sent a name with no "@" sign.
// If there were no separators, then it is a flat principal name
//
if (!DoneParsing && (NameType == 0)) { if (NameParts == 0) { //
// The name has no separators, so it is a flat principal name
//
NameType = KRB_NT_PRINCIPAL; NameParts = 1; } }
//
// For KRB_NT_SRV_INST, get the name parts correct and tell the caller
// that a realm was supplied in the spn
//
if (NameType == KRB_NT_SRV_INST) { if (SuppliedRealm.Length == 0) { // We have an spn of the form a/b..../n and the name parts needs
// to be upped by one
// If we had an spn of the form a/b@c, then the name
// parts would be right.
NameParts++; } else { // We need to filter this back to the caller so that the
// name canonicalization bit is not set.
*ProcessFlags |= KERB_GET_TICKET_NO_CANONICALIZE; } }
//
// Check for an MIT realm with the supplied realm - if the name type is
// KRB_NT_PRINCIPAL, send it as a UPN unless we can find an MIT realm.
// If we are not a member of a domain, then we can't default so use
// the domain name supplied. Also, if we are using supplied credentials
// we don't want to use the wksta realm.
if ( (NameType == KRB_NT_PRINCIPAL) && (KerbGetGlobalRole() != KerbRoleRealmlessWksta) // not realmless
&& ((Flags & KERB_CRACK_NAME_USE_WKSTA_REALM) != 0) ) { BOOLEAN Result; Result = KerbLookupMitRealm( &SuppliedRealm, &MitRealm, &UsedAlternateName ); //
// If we didn't find a realm, use this as a UPN
//
if (!Result) { //
// If the caller supplied the realm separately, then don't
// send it as a UPN.
//
if ((Flags & KERB_CRACK_NAME_REALM_SUPPLIED) == 0) { //
// send it as UPN
NameType = KRB_NT_ENTERPRISE_PRINCIPAL; NameParts = 1; FirstNamePart = *RealTargetName; RtlInitUnicodeString( &SuppliedRealm, NULL ); } } //
// For logon, its interesting to know if we're doing an MIT realm lookup
//
else { D_DebugLog((DEB_TRACE, "Using MIT realm in Process TargetName\n")); *ProcessFlags |= KERB_MIT_REALM_USED; } }
NameLength = FirstNamePart.Length + NameParts * sizeof(WCHAR);
D_DebugLog((DEB_TRACE_CTXT, "Parsed name %wZ (%wZ) into:\n\t name type 0x%x, name count %d, \n\t realm %wZ, \n\t first part %wZ\n", TargetName, SuppTargetName, NameType, NameParts, &SuppliedRealm, &FirstNamePart ));
#ifdef later
//
// If the name end in "localhost", replace it with our dns machine
// name.
//
if ((NameType == KRB_NT_SRV_INST) && (NameParts == 2) && (RealTargetName->Length > LocalhostName.Length) && RtlEqualMemory( RealTargetName->Buffer + (RealTargetName->Length - LocalhostName.Length ) / sizeof(WCHAR), LocalhostName.Buffer, LocalhostName.Length ))
{ NameLength -= LocalhostName.Length; KerbGlobalReadLock(); NameLength += KerbGlobalMitMachineServiceName->Names[1].Length;
//
// Set the flag to indicate we need to replace the name, and that
// the global lock is held.
//
ReplaceLocalhost = TRUE; }#endif
//
// Create the output names
//
OutputName = (PKERB_INTERNAL_NAME) KerbAllocate(KERB_INTERNAL_NAME_SIZE(NameParts + ExtraNameParts) + NameLength); if (OutputName == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; }
OutputName->NameCount = NameParts + ExtraNameParts; OutputName->NameType = NameType;
Where = (PUCHAR) OutputName + KERB_INTERNAL_NAME_SIZE(NameParts+ExtraNameParts); NameIndex = 0;
//
// If there is only one part of the name, handle that first
//
if (NameParts == 1) { OutputName->Names[0].Length = FirstNamePart.Length; OutputName->Names[0].MaximumLength = FirstNamePart.Length + sizeof(WCHAR); OutputName->Names[0].Buffer = (LPWSTR) Where; RtlCopyMemory( Where, FirstNamePart.Buffer, FirstNamePart.Length ); OutputName->Names[0].Buffer[FirstNamePart.Length / sizeof(WCHAR)] = L'\0'; Where += FirstNamePart.Length + sizeof(WCHAR); NameIndex = 1;
} else { UNICODE_STRING TempName;
//
// Build up the name, piece by piece
//
DoneParsing = FALSE; NameIndex = 0; TempName.Buffer = FirstNamePart.Buffer;
for ( Index = 0; Index <= FirstNamePart.Length / sizeof(WCHAR) ; Index++ ) { //
// If we hit the end or a separator, build a name part
//
if ((Index == FirstNamePart.Length / sizeof(WCHAR)) || (FirstNamePart.Buffer[Index] == L'/') ) {#ifdef later
if ((NameIndex == 1) && (ReplaceLocalhost)) { OutputName->Names[NameIndex].Length = KerbGlobalMitMachineServiceName->Names[1].Length; OutputName->Names[NameIndex].MaximumLength = OutputName->Names[NameIndex].Length + sizeof(WCHAR); OutputName->Names[NameIndex].Buffer = (LPWSTR) Where;
RtlCopyMemory( Where, KerbGlobalMitMachineServiceName->Names[1].Buffer, OutputName->Names[NameIndex].Length ); //
// Release the lock now
//
KerbGlobalReleaseLock(); ReplaceLocalhost = FALSE; } else#endif
{ OutputName->Names[NameIndex].Length = (USHORT) (&FirstNamePart.Buffer[Index] - TempName.Buffer) * sizeof(WCHAR); OutputName->Names[NameIndex].MaximumLength = OutputName->Names[NameIndex].Length + sizeof(WCHAR); OutputName->Names[NameIndex].Buffer = (LPWSTR) Where;
RtlCopyMemory( Where, TempName.Buffer, OutputName->Names[NameIndex].Length ); } Where += OutputName->Names[NameIndex].Length; *(LPWSTR)Where = L'\0'; Where += sizeof(WCHAR);
NameIndex++; TempName.Buffer = &FirstNamePart.Buffer[Index+1]; } }
DsysAssert(NameParts == NameIndex); }
//
// Now that we've built the output name, check SPN Cache.
//
if ( ARGUMENT_PRESENT(SpnCacheEntry) && NameType == KRB_NT_SRV_INST && SuppliedRealm.Length == 0 )
{
LocalCacheEntry = KerbLocateSpnCacheEntry(OutputName);
if (NULL != LocalCacheEntry) { DebugLog((DEB_TRACE_SPN_CACHE, "Found in SPN Cache %p ", LocalCacheEntry)); D_KerbPrintKdcName((DEB_TRACE_SPN_CACHE, LocalCacheEntry->Spn)); *SpnCacheEntry = LocalCacheEntry; LocalCacheEntry = NULL;
*ProcessFlags |= KERB_TARGET_USED_SPN_CACHE;
} else { //
// This is used for HostToRealm mappings.
//
KerbSpnSubstringMatch( OutputName, &CacheTargetRealm ); }
}
D_DebugLog((DEB_TRACE_CTXT,"Cracked name %wZ into: ", RealTargetName)); D_KerbPrintKdcName((DEB_TRACE_CTXT,OutputName));
//
// Only use SPN cache w/o supplied credentials - we don't even talk
// to the cache if the SuppliedRealm is present.
//
if (CacheTargetRealm.Buffer != NULL) { Status = KerbDuplicateString( TargetRealm, &CacheTargetRealm );
} else if (((Flags & KERB_CRACK_NAME_USE_WKSTA_REALM) == 0) || SuppliedRealm.Length > 0) { Status = KerbDuplicateString( TargetRealm, &SuppliedRealm ); } else { if ((Flags & KERB_CRACK_NAME_USE_WKSTA_REALM) == 0) { DsysAssert(FALSE); // hey, this shouldn't ever be hit...
RtlInitUnicodeString( TargetRealm, NULL ); } else { //
// There was no realm name provided, so use the wksta domain
//
Status = KerbGetOurDomainName( TargetRealm ); }
} if (!NT_SUCCESS(Status)) { goto Cleanup; }
*FinalTarget = OutputName; OutputName = NULL;
Cleanup:
#ifdef later
if (ReplaceLocalhost) { KerbGlobalReleaseLock(); }#endif
if ( LocalCacheEntry ) { KerbDereferenceSpnCacheEntry( LocalCacheEntry ); }
KerbFreeString( &CacheTargetRealm );
if (OutputName != NULL) { KerbFree(OutputName); } return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbValidateChannelBindings
//
// Synopsis: Validates the channel bindings copied from the client.
//
// Effects:
//
// Arguments: pBuffer -- Input buffer that contains channel bindings
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUSKerbValidateChannelBindings( IN PVOID pBuffer, IN ULONG ulBufferLength ){ PSEC_CHANNEL_BINDINGS pClientBindings = (PSEC_CHANNEL_BINDINGS) pBuffer; DWORD dwBindingLength; DWORD dwInitiatorEnd; DWORD dwAcceptorEnd; DWORD dwApplicationEnd;
//
// If channel bindings were specified, they had better be there
//
if (pBuffer == NULL || ulBufferLength < sizeof(SEC_CHANNEL_BINDINGS)) { return STATUS_INVALID_PARAMETER; }
//
// Make sure we got one contiguous buffer
//
dwBindingLength = sizeof(SEC_CHANNEL_BINDINGS) + pClientBindings->cbInitiatorLength + pClientBindings->cbAcceptorLength + pClientBindings->cbApplicationDataLength;
//
// Make sure the lengths are valid and check for overflow
//
if (dwBindingLength > ulBufferLength) { return STATUS_INVALID_PARAMETER; }
dwInitiatorEnd = pClientBindings->dwInitiatorOffset + pClientBindings->cbInitiatorLength; dwAcceptorEnd = pClientBindings->dwAcceptorOffset + pClientBindings->cbAcceptorLength; dwApplicationEnd = pClientBindings->dwApplicationDataOffset + pClientBindings->cbApplicationDataLength;
if ((dwInitiatorEnd > dwBindingLength || dwInitiatorEnd < pClientBindings->dwInitiatorOffset) || (dwAcceptorEnd > dwBindingLength || dwAcceptorEnd < pClientBindings->dwAcceptorOffset) || (dwApplicationEnd > dwBindingLength || dwApplicationEnd < pClientBindings->dwApplicationDataOffset)) { return STATUS_INVALID_PARAMETER; }
return STATUS_SUCCESS;}
//+-------------------------------------------------------------------------
//
// Function: SpInitLsaModeContext
//
// Synopsis: Kerberos implementation of InitializeSecurityContext. This
// routine handles the client side of authentication by
// acquiring a ticket to the specified target. If a context
// handle is passed in, then the input buffer is used to
// verify the authenticity of the server.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPISpInitLsaModeContext( IN OPTIONAL LSA_SEC_HANDLE CredentialHandle, IN OPTIONAL LSA_SEC_HANDLE ContextHandle, IN OPTIONAL PUNICODE_STRING TargetName, IN ULONG ContextRequirements, IN ULONG TargetDataRep, IN PSecBufferDesc InputBuffers, OUT PLSA_SEC_HANDLE NewContextHandle, IN OUT PSecBufferDesc OutputBuffers, OUT PULONG ContextAttributes, OUT PTimeStamp ExpirationTime, OUT PBOOLEAN MappedContext, OUT PSecBuffer ContextData ){ PKERB_LOGON_SESSION LogonSession = NULL; PKERB_LOGON_SESSION CallerLogonSession = NULL; PKERB_CREDENTIAL Credential = NULL; PKERB_TICKET_CACHE_ENTRY TicketCacheEntry = NULL; ULONG TicketOptions = 0;
NTSTATUS Status = STATUS_SUCCESS; LUID LogonId; PUCHAR Request = NULL; ULONG RequestSize = 0; PUCHAR Reply = NULL; ULONG ReplySize; PSecBuffer OutputToken = NULL; PSecBuffer InputToken = NULL; UNICODE_STRING LocalTargetName; UNICODE_STRING TargetDomainName; PKERB_INTERNAL_NAME TargetInternalName = NULL; ULONG Index; PKERB_CONTEXT Context = NULL; ULONG Nonce = 0; ULONG ProcessFlags = 0; ULONG ReceiveNonce = 0; ULONG ContextFlags = 0; ULONG ContextAttribs = 0; ULONG LogonSessionFlags = 0; TimeStamp ContextLifetime; TimeStamp AuthenticatorTime = {0}; BOOLEAN DoThirdLeg = FALSE; BOOLEAN GetAuthTicket = FALSE; BOOLEAN UseNullSession = FALSE; BOOLEAN GetServerTgt = FALSE; PKERB_ERROR ErrorMessage = NULL; PKERB_ERROR_METHOD_DATA ErrorData = NULL; PKERB_EXT_ERROR pExtendedError = NULL; PKERB_TGT_REPLY TgtReply = NULL; PKERB_SPN_CACHE_ENTRY SpnCacheEntry = NULL; ULONG ContextRetries = 0; KERB_CONTEXT_STATE ContextState = InvalidState; KERB_ENCRYPTION_KEY SubSessionKey = {0}; BOOLEAN ClientAskedForDelegate = FALSE, ClientAskedForDelegateIfSafe = FALSE; ULONG ClientProcess = 0; PKERB_CREDMAN_CRED CredManCredentials = NULL; NTSTATUS InitialStatus = STATUS_SUCCESS; PSEC_CHANNEL_BINDINGS pChannelBindings = NULL; PKERB_TICKET_CACHE_ENTRY EvidenceTicket = NULL; PBYTE pbMarshalledTargetInfo = NULL; ULONG cbMarshalledTargetInfo = 0;
KERB_INITSC_INFO InitSCTraceInfo; InitSCTraceInfo.EventTrace.Size = 0; LUID LocalSystemLuid = SYSTEM_LUID;
D_DebugLog((DEB_TRACE_API, "SpInitLsaModeContext 0x%x called\n", ContextHandle));
if( KerbEventTraceFlag ) // Event Trace: KerbInitSecurityContextStart {No Data}
{ InitSCTraceInfo.EventTrace.Guid = KerbInitSCGuid; InitSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_START; InitSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID; InitSCTraceInfo.EventTrace.Size = sizeof (EVENT_TRACE_HEADER);
TraceEvent( KerbTraceLoggerHandle, (PEVENT_TRACE_HEADER)&InitSCTraceInfo ); }
//
// Initialize the outputs.
//
*ContextAttributes = 0; *NewContextHandle = 0; *ExpirationTime = KerbGlobalHasNeverTime; *MappedContext = FALSE; ContextData->pvBuffer = NULL; ContextData->cbBuffer = 0; LocalTargetName.Buffer = NULL; LocalTargetName.Length = 0; TargetDomainName.Buffer = NULL; TargetDomainName.Length = 0;
if (!KerbGlobalInitialized) { Status = STATUS_INVALID_SERVER_STATE; goto Cleanup; }
//
// Make sure we have at least one ip address
//
KerbGlobalReadLock(); if (KerbGlobalNoTcpUdp) { Status = STATUS_NETWORK_UNREACHABLE; } KerbGlobalReleaseLock(); if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Delegate will mean delegate_if_safe for this
// release (NT5)
//
if ( ContextRequirements & ISC_REQ_DELEGATE ) { ClientAskedForDelegate = TRUE; ContextRequirements |= ISC_REQ_DELEGATE_IF_SAFE ; ContextRequirements &= ~(ISC_REQ_DELEGATE) ; } else if ( ContextRequirements & ISC_REQ_DELEGATE_IF_SAFE ) { ClientAskedForDelegateIfSafe = TRUE; }
//////////////////////////////////////////////////////////////////////
//
// Process the input tokens
//
/////////////////////////////////////////////////////////////////////
//
// First locate the output token.
//
for (Index = 0; Index < OutputBuffers->cBuffers ; Index++ ) { if (BUFFERTYPE(OutputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN) { OutputToken = &OutputBuffers->pBuffers[Index]; Status = LsaFunctions->MapBuffer(OutputToken,OutputToken); break; } }
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR, "Failed to map output token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// Now locate the Input token.
//
for (Index = 0; Index < InputBuffers->cBuffers ; Index++ ) { if (BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN) { InputToken = &InputBuffers->pBuffers[Index]; Status = LsaFunctions->MapBuffer(InputToken,InputToken); break; } }
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR, "Failed to map Input token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// Check to see if we were passed an additional name
//
for (Index = 0; Index < InputBuffers->cBuffers ; Index++ ) { if (BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_NEGOTIATION_INFO) { Status = LsaFunctions->MapBuffer( &InputBuffers->pBuffers[Index], &InputBuffers->pBuffers[Index] ); if (!NT_SUCCESS(Status)) { D_DebugLog( (DEB_ERROR, "Failed to map incoming SECBUFFER_NEGOTIATION_INFO. %x, %ws, %d", Status, THIS_FILE, __LINE__) ); goto Cleanup; } LocalTargetName.Buffer = (LPWSTR) InputBuffers->pBuffers[Index].pvBuffer;
//
// We can only stick 64k in a the length field, so make sure the
// buffer is not too big.
//
if (InputBuffers->pBuffers[Index].cbBuffer > 0xffff) { Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
LocalTargetName.Length = LocalTargetName.MaximumLength = (USHORT) InputBuffers->pBuffers[Index].cbBuffer;
break; } }
//
// Process the target names
//
Status = KerbProcessTargetNames( TargetName, &LocalTargetName, 0, // No flags
&ProcessFlags, &TargetInternalName, &TargetDomainName, &SpnCacheEntry );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Check to see if we were passed channel bindings
//
for( Index = 0; Index < InputBuffers->cBuffers; Index++ ) { if( BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_CHANNEL_BINDINGS ) { Status = LsaFunctions->MapBuffer( &InputBuffers->pBuffers[Index], &InputBuffers->pBuffers[Index] );
if( !NT_SUCCESS(Status) ) { D_DebugLog( (DEB_ERROR, "Failed to map incoming SECBUFFER_CHANNEL_BINDINGS. %x, %ws, %d\n", Status, THIS_FILE, __LINE__) );
goto Cleanup; }
pChannelBindings = (PSEC_CHANNEL_BINDINGS) InputBuffers->pBuffers[Index].pvBuffer;
Status = KerbValidateChannelBindings(pChannelBindings, InputBuffers->pBuffers[Index].cbBuffer);
if (!NT_SUCCESS(Status)) { pChannelBindings = NULL; goto Cleanup; }
break; } }
//////////////////////////////////////////////////////////////////////
//
// If the caller passed in a context handle, deal with updating an
// existing context.
//
/////////////////////////////////////////////////////////////////////
//
// If the input context handle is no NULL then we are actually
// finalizing an already-existing context. So be it.
//
//
// Use "while" so we can break out.
//
while (ContextHandle != 0) { D_DebugLog((DEB_TRACE_CTXT, "SpInitLsaModeContext: Second call to Initialize\n")); if (InputToken == NULL) { D_DebugLog((DEB_ERROR, "SpInitLsaModeContext trying to complete a context with no input token! %ws, line %d\n", THIS_FILE, __LINE__)); Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// First reference the context.
//
Status = KerbReferenceContext( ContextHandle, FALSE, // don't unlink
&Context ); if (Context == NULL) { D_DebugLog((DEB_ERROR,"Failed to reference context 0x%x. %ws, line %d\n",ContextHandle, THIS_FILE, __LINE__)); goto Cleanup; }
//
// Check the mode of the context to make sure we can finalize it.
//
KerbReadLockContexts();
ContextState = Context->ContextState; if ((ContextState != ApRequestSentState) && (ContextState != TgtRequestSentState)) { D_DebugLog((DEB_ERROR, "Invalid context state: %d. %ws, line %d\n", Context->ContextState, THIS_FILE, __LINE__)); Status = STATUS_INVALID_HANDLE; KerbUnlockContexts(); goto Cleanup; } ContextRetries = Context->Retries; ContextFlags = Context->ContextFlags; ContextAttribs = Context->ContextAttributes; Nonce = Context->Nonce; CredentialHandle = Context->CredentialHandle; ClientProcess = Context->ClientProcess; KerbUnlockContexts();
//
// If we are not doing datagram, unpack the AP or TGT reply.
//
if ((ContextFlags & ISC_RET_DATAGRAM) == 0) { ////////////////////////////////////////////////////
//
// Handle a TGT reply - get out the TGT & the name of
// the server
//
////////////////////////////////////////////////////
if (ContextState == TgtRequestSentState) { D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext calling KerbUnpackTgtReply\n"));
KerbWriteLockContexts(); if (!(Context->ContextAttributes & KERB_CONTEXT_USER_TO_USER)) { Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER; DebugLog((DEB_WARN, "SpInitLsaModeContext * use_sesion_key but USER2USER-OUTBOUND not set, added it now\n")); } KerbUnlockContexts();
Status = KerbUnpackTgtReply( Context, (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, &TargetInternalName, &TargetDomainName, &TgtReply );
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR, "SpInitLsaModeContext failed to unpack TGT reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
//
// Check for an error message
//
Status = KerbReceiveErrorMessage( (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, Context, &ErrorMessage, &ErrorData ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
KerbReportKerbError( NULL, NULL, NULL, NULL, KLIN(FILENO,__LINE__), ErrorMessage, ((NULL != ErrorMessage) ? ErrorMessage->error_code : KRB_ERR_GENERIC), pExtendedError, FALSE );
//
// Ahh. We have an error message. See if it is an
// error we can handle, and if so, Now we need to
// try to build a better AP request. Or, if we have
// already retried once, fail.
//
DebugLog((DEB_WARN, "SpInitLsaModeContext received KERB_ERROR message with error 0x%x, can't handle\n", ErrorMessage->error_code ));
if ((ErrorMessage->error_code == KRB_ERR_GENERIC) && (ErrorData != NULL) && (ErrorData->bit_mask & data_value_present) && (ErrorData->data_type == KERB_AP_ERR_TYPE_NTSTATUS) && (ErrorData->data_value.length == sizeof(ULONG))) { Status = *((PULONG)ErrorData->data_value.value); } else { Status = KerbMapKerbError((KERBERR) ErrorMessage->error_code); if (NT_SUCCESS(Status)) { Status = STATUS_INTERNAL_ERROR; } }
goto Cleanup; }
//
// Break out so we generate a normal request now
//
break; } else // not user-to-user
{
////////////////////////////////////////////////////
//
// This is the response to an AP request. It could be
// an AP reply or an error. Handle both cases
//
////////////////////////////////////////////////////
//
// Now unpack the AP reply
//
Status = KerbVerifyApReply( Context, (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, &ReceiveNonce );
if (!NT_SUCCESS(Status)) { //
// Check for an error message
//
Status = KerbReceiveErrorMessage( (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, Context, &ErrorMessage, &ErrorData ); DebugLog((DEB_TRACE, "SpInitLsaModeContext non datagram called KerbReceiveErrorMessage %#x\n", Status));
if (!NT_SUCCESS(Status)) { goto Cleanup; }
KerbReportKerbError( NULL, NULL, NULL, NULL, KLIN(FILENO, __LINE__), ErrorMessage, ((NULL != ErrorMessage) ? ErrorMessage->error_code : KRB_ERR_GENERIC), pExtendedError, FALSE );
DebugLog((DEB_WARN, "SpInitLsaModeContext failed to verify AP reply: 0x%x\n", ErrorMessage->error_code));
//
// Ahh. We have an error message. See if it is an
// error we can handle, and if so, Now we need to
// try to build a better AP request. Or, if we have
// already retried once, fail. We can't get a new ticket
// with user-to-user.
//
if ((ContextRetries != 0) || (((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_SKEW) && ((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_TKT_NYV) && ((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_USER_TO_USER_REQUIRED) && ((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_MODIFIED)) || (((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_MODIFIED) && ((ContextAttribs & KERB_CONTEXT_USER_TO_USER) != 0))) { if ((ErrorMessage->error_code == KRB_ERR_GENERIC) && (ErrorData != NULL) && (ErrorData->data_type == KERB_AP_ERR_TYPE_NTSTATUS) && ((ErrorData->bit_mask & data_value_present) != 0) && (ErrorData->data_value.value != NULL) && (ErrorData->data_value.length == sizeof(ULONG))) { Status = *((PULONG)ErrorMessage->error_data.value);
if (NT_SUCCESS(Status)) // must fail here
{ Status = STATUS_INTERNAL_ERROR; }
DebugLog((DEB_ERROR, "InitSecContext Received KERB_ERROR message with Status %#x, %ws, line %d\n", Status, THIS_FILE, __LINE__)); }
if (ErrorMessage->error_code == KRB_AP_ERR_MODIFIED) { //
// If the server couldn't decrypt the ticket,
// then the target name is wrong for the server.
//
DebugLog((DEB_ERROR, "App modified error (NO CONTINUE, bail)\n")); KerbReportApError(ErrorMessage, TargetName); Status = SEC_E_WRONG_PRINCIPAL; } else if (ErrorMessage->error_code == KRB_AP_ERR_TKT_NYV) { DebugLog((DEB_ERROR, "Not yet valid error - Check Time Skew\n")); KerbReportApError(ErrorMessage, NULL); Status = STATUS_TIME_DIFFERENCE_AT_DC; } else { DebugLog((DEB_ERROR, "InitSecContext Received KERB_ERROR message with error 0x%x, can't handle. %ws, line %d\n", ErrorMessage->error_code, THIS_FILE, __LINE__));
Status = KerbMapKerbError((KERBERR) ErrorMessage->error_code); if (NT_SUCCESS(Status)) // must fail here
{ Status = STATUS_INTERNAL_ERROR; } } goto Cleanup; } else { //
// Check to see if the server supports skew
//
if ((ErrorMessage->error_code == KRB_AP_ERR_SKEW) && (ErrorData == NULL) || ((ErrorData != NULL) && (ErrorData->data_type != KERB_AP_ERR_TYPE_SKEW_RECOVERY))) { //
// The server doesn't support skew recovery.
//
D_DebugLog((DEB_WARN, "SpInitLsaModeContext skew error but server doesn't handle skew recovery.\n")); Status = KerbMapKerbError((KERBERR) ErrorMessage->error_code); goto Cleanup; }
//
// Here's where we'll punt "not yet valid tickets" and friends...
//
if (ErrorMessage->error_code == KRB_AP_ERR_TKT_NYV) { KerbPurgeServiceTicketAndTgt( Context, CredentialHandle, CredManCredentials );
DebugLog((DEB_ERROR, "Purged all tickets due to NYV error!\n")); }
KerbWriteLockContexts(); Context->Retries++; KerbUnlockContexts(); }
////////////////////////////////////////////////////
//
// We got an error we can handle. For user-to-user
// required, we received the TGT so we can get
// the appropriate ticket. For modified, we want
// to toss the old ticket & get a new one, hopefully
// with a better key.
//
////////////////////////////////////////////////////
if ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_USER_TO_USER_REQUIRED) { D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext received KRB_AP_ERR_USER_TO_USER_REQUIRED\n"));
if ((ErrorMessage->bit_mask & error_data_present) == 0) { DebugLog((DEB_ERROR, "Server requires user-to-user but didn't send TGT reply. %ws, line %d\n", THIS_FILE, __LINE__)); Status = STATUS_NO_TGT_REPLY; goto Cleanup; }
//
// Check for TGT reply
//
Status = KerbUnpackTgtReply( Context, ErrorMessage->error_data.value, ErrorMessage->error_data.length, &TargetInternalName, &TargetDomainName, &TgtReply ); if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "SpInitLsaModeContext failed to unpack tgt reply %#x\n", Status));
Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
//
// Fall through into normal ticket handling
//
ContextFlags |= ISC_RET_USE_SESSION_KEY;
//
// Remove the old ticket cache entry
//
KerbWriteLockContexts(); TicketCacheEntry = Context->TicketCacheEntry; Context->TicketCacheEntry = NULL; KerbUnlockContexts();
if (TicketCacheEntry != NULL) { KerbFreeString( &TargetDomainName ); KerbFreeKdcName( &TargetInternalName );
//
// Get the target name from the old ticket
//
KerbReadLockTicketCache(); Status = KerbDuplicateString( &TargetDomainName, &TicketCacheEntry->DomainName ); if (NT_SUCCESS(Status)) { Status = KerbDuplicateKdcName( &TargetInternalName, TicketCacheEntry->ServiceName ); }
KerbUnlockTicketCache(); if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Free this ticket cache entry
//
KerbRemoveTicketCacheEntry(TicketCacheEntry);
//
// Remove the reference holding it to the context
//
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
TicketCacheEntry = NULL; }
break; } else if ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_MODIFIED) { DebugLog((DEB_WARN, "App modified error (purge ticket!)\n"));
KerbWriteLockContexts(); TicketCacheEntry = Context->TicketCacheEntry; Context->TicketCacheEntry = NULL; KerbUnlockContexts();
if (TicketCacheEntry != NULL) { //
// Get rid of the old ticket in the context
KerbFreeString( &TargetDomainName ); KerbFreeKdcName( &TargetInternalName );
//
// Get the target name from the old ticket
//
KerbReadLockTicketCache(); Status = KerbDuplicateString( &TargetDomainName, &TicketCacheEntry->DomainName ); if (NT_SUCCESS(Status)) {
Status = KerbDuplicateKdcName( &TargetInternalName, TicketCacheEntry->ServiceName ); } KerbUnlockTicketCache(); if (!NT_SUCCESS(Status)) { goto Cleanup; } //
// Free this ticket cache entry
//
KerbRemoveTicketCacheEntry(TicketCacheEntry);
//
// Remove the reference holding it to the context
//
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
TicketCacheEntry = NULL; } }
break; } }
////////////////////////////////////////////////////
//
// We successfully decrypted the AP reply. At this point
// we want to finalize the context. For DCE style we send
// a useless AP reply to the server.
//
////////////////////////////////////////////////////
//
// If the caller wanted DCE style authentication, build another
// AP reply
//
KerbWriteLockContexts();
if ((Context->ContextFlags & ISC_RET_USED_DCE_STYLE) != 0) { DoThirdLeg = TRUE; } else { DoThirdLeg = FALSE; }
Context->ReceiveNonce = ReceiveNonce;
KerbUnlockContexts();
if (DoThirdLeg) { //
// Build an AP reply to send back to the server.
//
Status = KerbBuildThirdLegApReply( Context, ReceiveNonce, &Reply, &ReplySize );
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to build AP reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
if (OutputToken == NULL) { D_DebugLog((DEB_ERROR,"Output token missing. %ws, line %d\n", THIS_FILE, __LINE__)); Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Return the AP reply in the output buffer.
//
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0) { if (OutputToken->cbBuffer < ReplySize) { ULONG ErrorData[3];
ErrorData[0] = ReplySize; ErrorData[1] = OutputToken->cbBuffer; ErrorData[2] = ClientProcess;
DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n", OutputToken->cbBuffer,ReplySize, THIS_FILE, __LINE__ )); OutputToken->cbBuffer = ReplySize; Status = STATUS_BUFFER_TOO_SMALL;
KerbReportNtstatus( KERBEVT_INSUFFICIENT_TOKEN_SIZE, Status, NULL, 0, ErrorData, 3 );
goto Cleanup; }
RtlCopyMemory( OutputToken->pvBuffer, Reply, ReplySize ); } else { OutputToken->pvBuffer = Reply; Reply = NULL; *ContextAttributes |= ISC_RET_ALLOCATED_MEMORY; } OutputToken->cbBuffer = ReplySize; } else { //
// No return message, so set the return length to zero.
//
if (OutputToken != NULL) { OutputToken->cbBuffer = 0; } } } else { //////////////////////////////////////////////////////////////////////
//
// We are doing datagram, so we don't expect anything from the
// server but perhaps an error. If we get an error, handle it.
// Otherwise, build an AP request to send to the server
//
/////////////////////////////////////////////////////////////////////
//
// We are doing datagram. Build the AP request for the
// server side.
//
//
// Check for an error message
//
if ((InputToken != NULL) && (InputToken->cbBuffer != 0)) { Status = KerbReceiveErrorMessage( (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, Context, &ErrorMessage, &ErrorData ); DebugLog((DEB_TRACE, "SpInitLsaModeContext datagram called KerbReceiveErrorMessage %#x\n", Status));
if (!NT_SUCCESS(Status)) { goto Cleanup; }
KerbReportKerbError( NULL, NULL, NULL, NULL, KLIN(FILENO, __LINE__), ErrorMessage, ((NULL != ErrorMessage) ? ErrorMessage->error_code : KRB_ERR_GENERIC), pExtendedError, FALSE );
//
// Check for a real error
//
if ((ErrorData != NULL) && (ErrorData->data_type == KERB_AP_ERR_TYPE_NTSTATUS) && ((ErrorData->bit_mask & data_value_present) != 0) && (ErrorData->data_value.value != NULL) && (ErrorData->data_value.length == sizeof(ULONG))) { Status = *((PULONG)ErrorMessage->error_data.value); if (NT_SUCCESS(Status)) { Status = STATUS_INTERNAL_ERROR; } goto Cleanup; } }
//
// Get the associated credential
//
Status = KerbReferenceCredential( CredentialHandle, KERB_CRED_OUTBOUND | KERB_CRED_TGT_AVAIL, FALSE, &Credential); if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN,"Failed to locate credential: 0x%x\n",Status)); goto Cleanup; }
//
// Get the logon id from the credentials so we can locate the
// logon session.
//
LogonId = Credential->LogonId;
//
// Get the logon session
//
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE ); if (LogonSession == NULL) { Status = STATUS_NO_SUCH_LOGON_SESSION; goto Cleanup; }
KerbReadLockLogonSessions(LogonSession);
if (Credential->SuppliedCredentials != NULL) { GetAuthTicket = TRUE; } else if (((Credential->CredentialFlags & KERB_CRED_NULL_SESSION) != 0) || ((ContextRequirements & ISC_REQ_NULL_SESSION) != 0)) { UseNullSession = TRUE; ContextFlags |= ISC_RET_NULL_SESSION; } KerbUnlockLogonSessions(LogonSession);
KerbReadLockContexts();
TicketCacheEntry = Context->TicketCacheEntry;
//
// Get the session key to use from the context
//
if (Context->SessionKey.keyvalue.value != 0) { if (!KERB_SUCCESS(KerbDuplicateKey( &SubSessionKey, &Context->SessionKey ))) { Status = STATUS_INSUFFICIENT_RESOURCES; } }
Context->TicketCacheEntry = NULL;
KerbUnlockContexts();
if (!NT_SUCCESS(Status)) { goto Cleanup; }
D_DebugLog((DEB_TRACE_CTXT2,"Building AP request for datagram oriented context\n"));
//
// If we are building a null session, build the special null
// session AP request
//
if (UseNullSession) { Status = KerbBuildNullSessionApRequest( &Request, &RequestSize ); //
// Turn off all unsupported flags
//
ContextFlags &= ( ISC_RET_ALLOCATED_MEMORY | ISC_RET_CONNECTION | ISC_RET_DATAGRAM | ISC_RET_NULL_SESSION ); } else { if (TicketCacheEntry == NULL) { DebugLog((DEB_ERROR, "SpInitLsaModeContext does have service ticket\n"));
Status = STATUS_INTERNAL_ERROR; goto Cleanup; }
Status = KerbBuildApRequest( LogonSession, Credential, CredManCredentials, TicketCacheEntry, ErrorMessage, ContextAttribs, &ContextFlags, &Request, &RequestSize, &Nonce, &AuthenticatorTime, &SubSessionKey, pChannelBindings ); }
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to build AP request: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// Return the AP request in the output buffer.
//
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0) { if (OutputToken->cbBuffer < RequestSize) { ULONG ErrorData[3];
ErrorData[0] = RequestSize; ErrorData[1] = OutputToken->cbBuffer; ErrorData[2] = ClientProcess;
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n", OutputToken->cbBuffer,RequestSize, THIS_FILE, __LINE__ )); OutputToken->cbBuffer = RequestSize; Status = STATUS_BUFFER_TOO_SMALL;
KerbReportNtstatus( KERBEVT_INSUFFICIENT_TOKEN_SIZE, Status, NULL, 0, ErrorData, 3 );
goto Cleanup; }
RtlCopyMemory( OutputToken->pvBuffer, Request, RequestSize ); } else { OutputToken->pvBuffer = Request; *ContextAttributes |= ISC_RET_ALLOCATED_MEMORY; Request = NULL; }
OutputToken->cbBuffer = RequestSize; }
//
//
// We're done - we finalized.
//
Status = STATUS_SUCCESS;
KerbReadLockContexts(); Context->ContextFlags = ContextFlags; *ContextAttributes |= Context->ContextFlags;
KerbUtcTimeToLocalTime( ExpirationTime, &Context->Lifetime ); *NewContextHandle = ContextHandle; KerbUnlockContexts();
goto Cleanup; }
//////////////////////////////////////////////////////////////////////
//
// We need to create a request to the server, possibly a TGT request
// or an AP request depending on what phase of the protocol we're in.
//
/////////////////////////////////////////////////////////////////////
DsysAssert(!((Context != NULL) ^ ((ErrorMessage != NULL) || (TgtReply != NULL))));
D_DebugLog((DEB_TRACE_CTXT,"SpInitLsaModeContext: First call to Initialize\n"));
//
// This is the case where we are constructing a new context.
//
//
// Get the associated credential and its TGT, if needed
//
Status = KerbReferenceCredential( CredentialHandle, KERB_CRED_OUTBOUND | KERB_CRED_TGT_AVAIL, FALSE, &Credential ); if (!NT_SUCCESS(Status)) { InitialStatus = Status;
Status = KerbReferenceCredential( CredentialHandle, KERB_CRED_OUTBOUND, FALSE, &Credential ); if( !NT_SUCCESS( Status ) || Credential->SuppliedCredentials != NULL) { Status = InitialStatus; D_DebugLog((DEB_WARN,"Failed to locate credential 0x%x\n",Status)); goto Cleanup; }
//
// if we got here, only explicit or credman creds are allowed.
// If the explicit creds failed to get a TGT from above, its also
// time to bail, as explicit creds never should fall back to credman.
//
// We may also try to use S4U
//
}
//
// Get the logon id from the credentials so we can locate the
// logon session.
//
LogonId = Credential->LogonId;
//
// Get the logon session
//
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE ); if (LogonSession == NULL) { Status = STATUS_NO_SUCH_LOGON_SESSION; goto Cleanup; }
KerbReadLockLogonSessions(LogonSession); LogonSessionFlags = LogonSession->LogonSessionFlags; KerbUnlockLogonSessions(LogonSession);
//
// Make some decisions based on the state of the credential. If using
// supplied credentials, make decisions based on the logon session.
// or presense of credman credentials.
//
if (Credential->SuppliedCredentials != NULL) { GetAuthTicket = TRUE; } else if (((Credential->CredentialFlags & KERB_CRED_NULL_SESSION) != 0) || ((ContextRequirements & ISC_REQ_NULL_SESSION) != 0)) { UseNullSession = TRUE; ContextFlags |= ISC_RET_NULL_SESSION; } else if ((LogonSessionFlags & KERB_LOGON_S4U_REQUIRED) != 0) { //
// Evaluate the current state of the logon session. If its an S4U one,
// but isn't marked for delegate, then this will be a NULL session.
//
if ((LogonSessionFlags & KERB_LOGON_DELEGATE_OK) == 0) { DebugLog((DEB_ERROR, "Calling ISC from a nondelegatable S4U ls (%p)\n", LogonSession)); Status = SEC_E_NO_CREDENTIALS; goto Cleanup; } else { DebugLog((DEB_TRACE_S4U, "Trying S4UProxy for ls %p\n", LogonSession));
//
// The other 2 forms of S4U possibilities (dummy & delegate OK) will
// either have a ticket, or require an S4U ticket. Handle this by
// prefetching the S4U ticket as evidence for S4U request.
//
Status = KerbGetS4UProxyEvidence( LogonSession, TargetInternalName, Credential->ClientProcess, &CallerLogonSession, &EvidenceTicket );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to get S4UProxy Evidence ticket %x \n", Status)); Status = SEC_E_NO_CREDENTIALS; // fall back to anony / NTLM...
goto Cleanup; } } } else { //
// go to the credential manager to try and find
// credentials for this specific target
//
ULONG ExtraTargetFlags = 0;
if ((ContextRequirements & ISC_REQ_USE_SUPPLIED_CREDS) != 0) { ExtraTargetFlags = CRED_TI_ONLY_PASSWORD_REQUIRED; }
KerbWriteLockLogonSessions(LogonSession); Status = KerbCheckCredMgrForGivenTarget( LogonSession, Credential, TargetName, // original targetname, may contain marshalled targetinfo
TargetInternalName, ExtraTargetFlags, &TargetDomainName, NULL, &CredManCredentials, &pbMarshalledTargetInfo, &cbMarshalledTargetInfo );
KerbUnlockLogonSessions(LogonSession);
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR, "SpInitLsaModeContext failed to get outbound ticket, KerbCheckCredMgrForGivenTarget failed with 0x%x\n", Status)); goto Cleanup; }
if (CredManCredentials != NULL) { GetAuthTicket = TRUE; ProcessFlags &= ~KERB_TARGET_UNKNOWN_SPN; } else { //
// if this is a local account logon then we have to have a cred man
// credential
//
if ((Credential->CredentialFlags & KERB_CRED_LOCAL_ACCOUNT) != 0) { D_DebugLog((DEB_WARN, "Trying to use a local logon session with Kerberos\n")); Status = SEC_E_NO_CREDENTIALS; goto Cleanup; }
//
// if no credman cred was found, we didn't use explicit creds,
// and the initial credential reference for TGT_AVAIL failed, bail now.
//
if( !NT_SUCCESS( InitialStatus ) ) { Status = InitialStatus; D_DebugLog((DEB_WARN,"Failed to locate credential 0x%x\n",Status)); goto Cleanup; } } }
#if DBG
KerbReadLockLogonSessions(LogonSession); D_DebugLog((DEB_TRACE_CTXT, "SpInitLsaModeContext: Initailizing context for %wZ\\%wZ\n", &LogonSession->PrimaryCredentials.DomainName, &LogonSession->PrimaryCredentials.UserName )); KerbUnlockLogonSessions(LogonSession);#endif
//////////////////////////////////////////////////////////////////////
//
// Process all the context requirements. We don't support all of them
// and some of them are mutually exclusive. In general, we don't fail
// if we're asked to do something we can't do, unless it seems mandatory,
// like allocating memory.
//
/////////////////////////////////////////////////////////////////////
//
// Figure out the context flags
//
if ((ContextRequirements & ISC_REQ_MUTUAL_AUTH) != 0) { D_DebugLog((DEB_TRACE_CTXT,"Client wants mutual auth.\n")); ContextFlags |= ISC_RET_MUTUAL_AUTH; }
if ((ContextRequirements & ISC_REQ_SEQUENCE_DETECT) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants sequence detect\n")); ContextFlags |= ISC_RET_SEQUENCE_DETECT | ISC_RET_INTEGRITY; }
if ((ContextRequirements & ISC_REQ_REPLAY_DETECT) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants replay detect\n")); ContextFlags |= ISC_RET_REPLAY_DETECT | ISC_RET_INTEGRITY; }
if ((ContextRequirements & ISC_REQ_INTEGRITY) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants integrity\n")); ContextFlags |= ISC_RET_INTEGRITY; }
if ((ContextRequirements & ISC_REQ_CONFIDENTIALITY) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants privacy\n")); ContextFlags |= (ISC_RET_CONFIDENTIALITY | ISC_RET_INTEGRITY | ISC_RET_SEQUENCE_DETECT | ISC_RET_REPLAY_DETECT ); }
if ((ContextRequirements & ISC_REQ_USE_DCE_STYLE) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants DCE style\n")); ContextFlags |= ISC_RET_USED_DCE_STYLE; }
if ((ContextRequirements & ISC_REQ_EXTENDED_ERROR) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants extended error\n")); ContextFlags |= ISC_RET_EXTENDED_ERROR; }
if ((ContextRequirements & ISC_REQ_DATAGRAM) != 0) { if ((ContextRequirements & ISC_REQ_CONNECTION) != 0) { D_DebugLog((DEB_ERROR,"Client wanted both data gram and connection. %ws, line %d\n", THIS_FILE, __LINE__)); Status = SEC_E_UNSUPPORTED_FUNCTION; goto Cleanup; } D_DebugLog((DEB_TRACE_CTXT, "Client wants Datagram style\n")); ContextFlags |= ISC_RET_DATAGRAM; }
if ((ContextRequirements & ISC_REQ_USE_SESSION_KEY) != 0) { D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext Client wants sub-session key\n"));
//
// Can't do this with datagram because we need to be able to
// start sealing messages after the first call to Initialize.
//
// With a null session there is no real ticket so we don't ever
// need the server TGT either.
//
// Can't do DCE style because they don't have this.
//
if (!UseNullSession && (ContextRequirements & (ISC_REQ_DATAGRAM | ISC_REQ_USE_DCE_STYLE)) == 0) { //
// If we are in the first call, get a server TGT
//
if (ContextState == InvalidState) { GetServerTgt = TRUE; } ContextFlags |= ISC_RET_USE_SESSION_KEY; } else { DebugLog((DEB_WARN, "SpInitLsaModeContext Client wanted both datagram and session key, dropping session key\n")); } }
if ((ContextRequirements & ISC_REQ_DELEGATE) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants Delegation\n")); if ((ContextFlags & ISC_RET_MUTUAL_AUTH) == 0) { D_DebugLog((DEB_WARN,"Can't do delegate without mutual\n")); } else { ContextFlags |= ISC_RET_DELEGATE; } } else if ((ContextRequirements & ISC_REQ_DELEGATE_IF_SAFE) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants Delegation, if safe\n")); if ((ContextFlags & ISC_RET_MUTUAL_AUTH) == 0) { D_DebugLog((DEB_WARN,"Can't do delegate without mutual\n")); } else { ContextFlags |= ISC_RET_DELEGATE_IF_SAFE; } }
if ((ContextRequirements & ISC_REQ_CONNECTION) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants Connection style\n")); ContextFlags |= ISC_RET_CONNECTION; }
if ((ContextRequirements & ISC_REQ_IDENTIFY) != 0) { D_DebugLog((DEB_TRACE_CTXT, "Client wants Identify level\n")); ContextFlags |= ISC_RET_IDENTIFY; if (((ContextRequirements & ISC_REQ_DELEGATE) != 0) || ((ContextRequirements & ISC_REQ_DELEGATE_IF_SAFE) != 0)) { D_DebugLog((DEB_WARN, "Client wants Delegation and Indentify, turning off delegation\n")); ContextFlags &= ~ISC_RET_DELEGATE; ContextFlags &= ~ISC_RET_DELEGATE_IF_SAFE; } }
//////////////////////////////////////////////////////////////////////
//
// Get the ticket necessary to process the request. At this point:
// - TicketCacheEntry should contain the ticket to re-use
// - ErrorMessage should contain the error message, if there was one
//
/////////////////////////////////////////////////////////////////////
//
// Get the outbound ticket. If the credential has attached supplied
// credentials, get an AS ticket instead.
//
if (GetServerTgt) { //
// Nothing to do
//
} else if (!UseNullSession) { D_DebugLog((DEB_TRACE_CTXT,"SpInitLsaModeContext: Getting outbound ticket for %wZ (%wZ) or ", TargetName, &LocalTargetName)); D_KerbPrintKdcName((DEB_TRACE_CTXT, TargetInternalName));
//
// If we got a skew error and we already have a cached ticket, don't
// bother getting a new ticket.
//
KerbReadLockContexts();
if (ErrorMessage != NULL) { if (((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_SKEW) && (Context->TicketCacheEntry != NULL)) { TicketCacheEntry = Context->TicketCacheEntry; KerbReferenceTicketCacheEntry(Context->TicketCacheEntry); } } KerbUnlockContexts();
//
// If we don't have a ticket in the context, go ahead and get
// a new ticket
//
if ( EvidenceTicket != NULL ) { Status = KerbGetServiceTicketByS4UProxy( LogonSession, CallerLogonSession, Credential, EvidenceTicket, TargetInternalName, &TargetDomainName, SpnCacheEntry, ProcessFlags, TicketOptions, 0, // no enc type
ErrorMessage, NULL, // no authorization data
TgtReply, &TicketCacheEntry, NULL // don't return logon guid
); if (Status == STATUS_USER2USER_REQUIRED) { D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext failed to get serviceticket ByS4UProxy: STATUS_USER2USER_REQUIRED\n"));
Status = STATUS_SUCCESS;
ContextFlags |= ISC_RET_USE_SESSION_KEY; GetServerTgt = TRUE; } else if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN, "SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicketByS4UProxy failed 0x%x\n",Status)); goto Cleanup; } } else if (TicketCacheEntry == NULL) { D_DebugLog((DEB_TRACE, "SpInitLsaModeContext getting service ticket\n")); Status = KerbGetServiceTicket( LogonSession, Credential, CredManCredentials, TargetInternalName, &TargetDomainName, SpnCacheEntry, ProcessFlags, TicketOptions, 0, // no enc type
ErrorMessage, NULL, // no authorization data
TgtReply, &TicketCacheEntry, NULL // don't return logon guid
); if (Status == STATUS_USER2USER_REQUIRED) { D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext failed to get serviceticket: STATUS_USER2USER_REQUIRED\n"));
Status = STATUS_SUCCESS;
ContextFlags |= ISC_RET_USE_SESSION_KEY; GetServerTgt = TRUE; } else if (!NT_SUCCESS(Status)) { DebugLog((DEB_WARN, "SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicket failed with 0x%x\n",Status)); goto Cleanup; } }
//
// fail user2user in data gram: not enough round trips to complete the protocol
//
if ((ContextFlags & ISC_RET_USE_SESSION_KEY) && (ContextFlags & ISC_RET_DATAGRAM)) { DebugLog((DEB_ERROR, "SpInitLsaModeContext Client needed session key in datagram, dropping session key\n"));
ContextFlags |= ~ISC_RET_USE_SESSION_KEY;
Status = STATUS_LOGON_FAILURE; goto Cleanup; } } else { //
// Turn off all unsupported flags
//
ContextFlags &= ( ISC_RET_ALLOCATED_MEMORY | ISC_RET_CONNECTION | ISC_RET_DATAGRAM | ISC_RET_NULL_SESSION );
}
//////////////////////////////////////////////////////////////////////
//
// Build the request - an AP request for standard Kerberos, or a TGT
// request.
//
/////////////////////////////////////////////////////////////////////
//
// For datagram requests, there is no output.
//
if ((ContextFlags & ISC_RET_DATAGRAM) == 0) { //
// This is the case where we are constructing a response.
//
if (OutputToken == NULL) { D_DebugLog((DEB_ERROR,"Trying to initialize a context with no output token! %ws, line %d\n", THIS_FILE, __LINE__)); Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
if (UseNullSession) { Status = KerbBuildNullSessionApRequest( &Request, &RequestSize ); } else if (GetServerTgt) { D_DebugLog((DEB_TRACE, "Building TGT request for ")); D_KerbPrintKdcName((DEB_TRACE, TargetInternalName));
if (((ContextRequirements & ISC_REQ_MUTUAL_AUTH) != 0) && (!ARGUMENT_PRESENT(TargetName) || TargetName->Length == 0)) { D_DebugLog((DEB_ERROR, "Client wanted mutual auth, but did not supply target name\n")); Status = SEC_E_UNSUPPORTED_FUNCTION; goto Cleanup; }
Status = KerbBuildTgtRequest( TargetInternalName, &TargetDomainName, &ContextAttribs, &Request, &RequestSize );
D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext built TGT request %#x\n", Status));
if (!NT_SUCCESS(Status)) { goto Cleanup; } } else { D_DebugLog((DEB_TRACE_CTXT2,"Building AP request for connection oriented context\n"));
Status = KerbBuildApRequest( LogonSession, Credential, CredManCredentials, TicketCacheEntry, ErrorMessage, ContextAttribs, &ContextFlags, &Request, &RequestSize, &Nonce, &AuthenticatorTime, &SubSessionKey, pChannelBindings ); //
// Set the receive nonce to be the nonce, as the code below
// expects it to be valid.
//
ReceiveNonce = Nonce; }
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to build AP request: 0x%x\n. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
if (OutputToken == NULL) { Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Return the AP request in the output buffer.
//
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0) { if (OutputToken->cbBuffer < RequestSize) { ULONG ErrorData[3];
ErrorData[0] = RequestSize; ErrorData[1] = OutputToken->cbBuffer; ErrorData[2] = ClientProcess;
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n", OutputToken->cbBuffer,RequestSize, THIS_FILE, __LINE__ )); OutputToken->cbBuffer = RequestSize; Status = STATUS_BUFFER_TOO_SMALL;
KerbReportNtstatus( KERBEVT_INSUFFICIENT_TOKEN_SIZE, Status, NULL, 0, ErrorData, 3 );
goto Cleanup;
} RtlCopyMemory( OutputToken->pvBuffer, Request, RequestSize ); } else { OutputToken->pvBuffer = Request; if (OutputToken->pvBuffer == NULL) { Status = STATUS_INSUFFICIENT_RESOURCES; goto Cleanup; } *ContextAttributes |= ISC_RET_ALLOCATED_MEMORY;
//
// Set this to NULL so it won't be freed by us on cleanup.
//
Request = NULL; }
OutputToken->cbBuffer = RequestSize; } else { //
// All we do here is allocate a nonce for use in the context.
//
Nonce = KerbAllocateNonce(); if (OutputToken != NULL) { OutputToken->cbBuffer = 0; } }
//////////////////////////////////////////////////////////////////////
//
// If we haven't yet created a context, created one now. If we have,
// update the context with the latest status.
//
/////////////////////////////////////////////////////////////////////
//
// Allocate a client context, if we don't already have one
//
if (Context == NULL) { Status = KerbCreateClientContext( LogonSession, Credential, CredManCredentials, TicketCacheEntry, TargetName, Nonce, &AuthenticatorTime, ContextFlags, ContextAttribs, &SubSessionKey, &Context, &ContextLifetime );
//CredManCredentials = NULL;
} else { Status = KerbUpdateClientContext( Context, TicketCacheEntry, Nonce, &AuthenticatorTime, ReceiveNonce, ContextFlags, ContextAttribs, &SubSessionKey, &ContextLifetime ); }
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to create client context: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// Keep track of network service session keys to detect whether network
// logon session is for local network service
//
if (RtlEqualLuid(&LogonId, &LocalSystemLuid)) { FILETIME CurTime = {0}; GetSystemTimeAsFileTime(&CurTime);
//
// use 2 times KerbGlobalSkewTime as ticket life time
//
KerbGetTime(*((TimeStamp*) &CurTime)) += 2 * KerbGetTime(KerbGlobalSkewTime);
Status = KerbCreateSKeyEntry(&SubSessionKey, &CurTime); if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to create session key entry: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__)); goto Cleanup; } }
//
// Hold on to the ticket for later use
//
KerbWriteLockContexts(); if ((Context->TicketCacheEntry == NULL) && (TicketCacheEntry != NULL)) { KerbReferenceTicketCacheEntry(TicketCacheEntry); Context->TicketCacheEntry = TicketCacheEntry; } ClientProcess = Context->ClientProcess; KerbUnlockContexts();
//
// update the context with the marshalled target info.
//
if( NT_SUCCESS(Status) && pbMarshalledTargetInfo ) { if( Context->pbMarshalledTargetInfo == NULL ) { Context->pbMarshalledTargetInfo = pbMarshalledTargetInfo; Context->cbMarshalledTargetInfo = cbMarshalledTargetInfo; pbMarshalledTargetInfo = NULL; } }
//
// Return the correct flags
//
*NewContextHandle = KerbGetContextHandle(Context);
*ContextAttributes |= ContextFlags;
KerbUtcTimeToLocalTime( ExpirationTime, &ContextLifetime );
//
// If mutual authentication was requested, ask for a continuation
//
if (((ContextFlags & ( ISC_RET_USED_DCE_STYLE | ISC_RET_DATAGRAM | ISC_RET_MUTUAL_AUTH )) != 0) || GetServerTgt ) { Status = SEC_I_CONTINUE_NEEDED; }
Cleanup:
// Adjust for the new meaning of delegate/delegate-if-safe if they got munged somehow.
if (ClientAskedForDelegateIfSafe && (*ContextAttributes & ISC_RET_DELEGATE)) { (*ContextAttributes) &= ~ISC_RET_DELEGATE; (*ContextAttributes) |= ISC_RET_DELEGATE_IF_SAFE; } else if ((ClientAskedForDelegate) && (*ContextAttributes & ISC_RET_DELEGATE_IF_SAFE)) { (*ContextAttributes) &= ~ISC_RET_DELEGATE_IF_SAFE; (*ContextAttributes) |= ISC_RET_DELEGATE; }
if ( Status == STATUS_WRONG_PASSWORD ) { //
// don't leak WRONG_PASSWORD to the caller.
//
Status = STATUS_LOGON_FAILURE; }
if( KerbEventTraceFlag ) // Event Trace: KerbInitSecurityContextEnd {Status, CredSource, DomainName, UserName, Target, (ExtErr), (Klininfo)}
{ PCWSTR TraceStrings[] = { L"CredMan", L"Supplied", L"Context", L"LogonSession", L"None" }; enum { TSTR_CREDMAN = 0, TSTR_SUPPLIED, TSTR_CONTEXT, TSTR_LOGONSESSION, TSTR_NONE }; UNICODE_STRING UNICODE_NONE = { 4*sizeof(WCHAR), 4*sizeof(WCHAR), L"NONE" };
UNICODE_STRING CredSource; PUNICODE_STRING trace_DomainName, trace_UserName, trace_target;
trace_target = (Context != NULL) ? &Context->ServerPrincipalName : &UNICODE_NONE;
if( Context != NULL && Context->CredManCredentials != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CREDMAN] ); trace_DomainName = &Context->CredManCredentials->SuppliedCredentials->DomainName; trace_UserName = &Context->CredManCredentials->SuppliedCredentials->UserName; } else if( Credential != NULL && Credential->SuppliedCredentials != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_SUPPLIED] ); trace_DomainName = &Credential->SuppliedCredentials->DomainName; trace_UserName = &Credential->SuppliedCredentials->UserName; } else if( Context != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CONTEXT] ); trace_DomainName = &Context->ClientRealm; trace_UserName = &Context->ClientName; } else if( LogonSession != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_LOGONSESSION] ); trace_DomainName = &LogonSession->PrimaryCredentials.DomainName; trace_UserName = &LogonSession->PrimaryCredentials.UserName; } else { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_NONE] ); trace_DomainName = &UNICODE_NONE; trace_UserName = &UNICODE_NONE; }
INSERT_ULONG_INTO_MOF( Status, InitSCTraceInfo.MofData, 0 ); INSERT_UNICODE_STRING_INTO_MOF( CredSource, InitSCTraceInfo.MofData, 1 ); INSERT_UNICODE_STRING_INTO_MOF( *trace_DomainName, InitSCTraceInfo.MofData, 3 ); INSERT_UNICODE_STRING_INTO_MOF( *trace_UserName, InitSCTraceInfo.MofData, 5 ); INSERT_UNICODE_STRING_INTO_MOF( *trace_target, InitSCTraceInfo.MofData, 7 ); InitSCTraceInfo.EventTrace.Size = sizeof(EVENT_TRACE_HEADER) + 9*sizeof(MOF_FIELD);
//Check for extended error
if( pExtendedError != NULL ) { INSERT_ULONG_INTO_MOF( pExtendedError->status, InitSCTraceInfo.MofData, 9 ); INSERT_ULONG_INTO_MOF( pExtendedError->klininfo, InitSCTraceInfo.MofData, 10 ); InitSCTraceInfo.EventTrace.Size += 2*sizeof(MOF_FIELD); }
// Set trace parameters
InitSCTraceInfo.EventTrace.Guid = KerbInitSCGuid; InitSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_END; InitSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID | WNODE_FLAG_USE_MOF_PTR;
TraceEvent( KerbTraceLoggerHandle, (PEVENT_TRACE_HEADER)&InitSCTraceInfo ); }
//
// If we allocated a context, unlink it now
//
if (Context != NULL) { if (!NT_SUCCESS(Status)) { //
// Only unlink the context if we just created it
//
if (ContextHandle == 0) { KerbReferenceContextByPointer( Context, TRUE ); KerbDereferenceContext(Context); } else { //
// Set the context to an invalid state.
//
KerbWriteLockContexts(); Context->ContextState = InvalidState; KerbUnlockContexts(); } } else { KerbWriteLockContexts(); if (Status == STATUS_SUCCESS) { Context->ContextState = AuthenticatedState; } else if (!GetServerTgt) { Context->ContextState = ApRequestSentState; } else { Context->ContextState = TgtRequestSentState;
//
// mark the context as user2user
//
Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER; DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext (TGT in TGT reply) USER2USER-OUTBOUND set\n")); } KerbUnlockContexts(); } KerbDereferenceContext(Context); }
if ((Status == STATUS_SUCCESS) || ((Status == SEC_I_CONTINUE_NEEDED) && ((ContextFlags & ISC_RET_DATAGRAM) != 0))) { NTSTATUS TempStatus;
//
// On real success we map the context to the callers address
// space.
//
TempStatus = KerbMapContext( Context, MappedContext, ContextData );
D_DebugLog((DEB_TRACE, "SpInitLsaModeContext called KerbMapContext ContextAttributes %#x, %#x\n", Context->ContextAttributes, TempStatus));
if (!NT_SUCCESS(TempStatus)) { Status = TempStatus; }
//
// Update the skew time with a success
//
KerbUpdateSkewTime(FALSE); }
if (NULL != CredManCredentials) { KerbDereferenceCredmanCred( CredManCredentials, &LogonSession->CredmanCredentials ); }
if( pbMarshalledTargetInfo ) { LocalFree( pbMarshalledTargetInfo ); }
if (TgtReply != NULL) { KerbFreeData(KERB_TGT_REPLY_PDU, TgtReply); }
if (LogonSession != NULL) { KerbDereferenceLogonSession( LogonSession ); }
if (Credential != NULL) { KerbDereferenceCredential( Credential ); }
if (TicketCacheEntry != NULL) { KerbDereferenceTicketCacheEntry( TicketCacheEntry ); }
if ( SpnCacheEntry != NULL ) { KerbDereferenceSpnCacheEntry( SpnCacheEntry ); }
KerbFreeKerbError( ErrorMessage ); if (NULL != pExtendedError) { KerbFree(pExtendedError); }
if (ErrorData != NULL) { MIDL_user_free(ErrorData); } if (Request != NULL) { KerbFree(Request); } if (Reply != NULL) { KerbFree(Reply); }
KerbFreeKey(&SubSessionKey);
KerbFreeString( &TargetDomainName ); KerbFreeKdcName( &TargetInternalName );
D_DebugLog((DEB_TRACE_LEAKS, "SpInitLsaModeContext returned 0x%x, Context 0x%x, Pid 0x%x\n",KerbMapKerbNtStatusToNtStatus(Status), *NewContextHandle, ClientProcess)); D_DebugLog((DEB_TRACE_API, "SpInitLsaModeContext returned 0x%x\n", KerbMapKerbNtStatusToNtStatus(Status)));
return(KerbMapKerbNtStatusToNtStatus(Status));}
NTSTATUS NTAPISpApplyControlToken( IN LSA_SEC_HANDLE ContextHandle, IN PSecBufferDesc ControlToken ){ NTSTATUS Status = STATUS_NOT_SUPPORTED; D_DebugLog((DEB_TRACE_API,"SpApplyControlToken Called\n")); D_DebugLog((DEB_TRACE_API,"SpApplyControlToken returned 0x%x\n", KerbMapKerbNtStatusToNtStatus(Status))); return(KerbMapKerbNtStatusToNtStatus(Status));}
#ifndef WIN32_CHICAGO //we don't do server side stuff
//+-------------------------------------------------------------------------
//
// Function: SpAcceptLsaModeContext
//
// Synopsis: Kerberos support routine for AcceptSecurityContext call.
// This routine accepts an AP request message from a client
// and verifies that it is a valid ticket. If mutual
// authentication is desired an AP reply is generated to
// send back to the client.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPISpAcceptLsaModeContext( IN OPTIONAL LSA_SEC_HANDLE CredentialHandle, IN OPTIONAL LSA_SEC_HANDLE ContextHandle, IN PSecBufferDesc InputBuffers, IN ULONG ContextRequirements, IN ULONG TargetDataRep, OUT PLSA_SEC_HANDLE NewContextHandle, OUT PSecBufferDesc OutputBuffers, OUT PULONG ContextAttributes, OUT PTimeStamp ExpirationTime, OUT PBOOLEAN MappedContext, OUT PSecBuffer ContextData ){ PKERB_LOGON_SESSION LogonSession = NULL; PKERB_CREDENTIAL Credential = NULL; NTSTATUS Status = STATUS_SUCCESS; NTSTATUS LastStatus = STATUS_SUCCESS; PKERB_AP_REQUEST Request = NULL; PUCHAR Reply = NULL; PSecBuffer InputToken = NULL; PSecBuffer OutputToken = NULL; ULONG Index; ULONG ReplySize; LUID LogonId; PKERB_ENCRYPTED_TICKET InternalTicket = NULL; PKERB_AUTHENTICATOR InternalAuthenticator = NULL; KERB_ENCRYPTION_KEY SessionKey; KERB_ENCRYPTION_KEY TicketKey; KERB_ENCRYPTION_KEY ServerKey; PKERB_CONTEXT Context = NULL; TimeStamp ContextLifetime; HANDLE TokenHandle = 0; ULONG ContextFlags = 0; ULONG ContextAttribs = KERB_CONTEXT_INBOUND; ULONG NegotiationInfo = SECPKG_NEGOTIATION_COMPLETE; ULONG Nonce = 0; ULONG ReceiveNonce = 0; BOOLEAN UseSuppliedCreds = FALSE; ULONG_PTR LocalCredentialHandle = 0; PSID UserSid = NULL; KERBERR KerbErr = KDC_ERR_NONE; KERB_CONTEXT_STATE ContextState = InvalidState; UNICODE_STRING ServiceDomain = {0}; UNICODE_STRING ClientName = {0}; UNICODE_STRING ClientDomain = {0}; UNICODE_STRING ClientNetbiosDomain = {0}; UNICODE_STRING WorkstationName = {0}; BOOLEAN IsTgtRequest = FALSE; ULONG ClientProcess = 0; PSEC_CHANNEL_BINDINGS pChannelBindings = NULL; PS4U_DELEGATION_INFO S4UDelegationInfo = NULL; PLSA_ADT_STRING_LIST TransittedServices = NULL;
KERB_ACCEPTSC_INFO AcceptSCTraceInfo;
D_DebugLog((DEB_TRACE_API, "SpAcceptLsaModeContext 0x%x called\n", ContextHandle));
if ( KerbEventTraceFlag ) // Event Trace: KerbAcceptSecurityContextStart {No Data}
{ AcceptSCTraceInfo.EventTrace.Guid = KerbAcceptSCGuid; AcceptSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_START; AcceptSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID; AcceptSCTraceInfo.EventTrace.Size = sizeof (EVENT_TRACE_HEADER);
TraceEvent( KerbTraceLoggerHandle, (PEVENT_TRACE_HEADER)&AcceptSCTraceInfo ); }
//
// Initialize the outputs.
//
*ContextAttributes = 0; *NewContextHandle = 0; *ExpirationTime = KerbGlobalHasNeverTime; *MappedContext = FALSE; ContextData->pvBuffer = NULL; ContextData->cbBuffer = 0;
RtlZeroMemory( &SessionKey, sizeof(KERB_ENCRYPTION_KEY) ); TicketKey = SessionKey; ServerKey = TicketKey;
if (!KerbGlobalInitialized) { Status = STATUS_INVALID_SERVER_STATE; goto Cleanup; }
//
// First locate the Input token.
//
for (Index = 0; Index < InputBuffers->cBuffers ; Index++ ) { if (BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN) { InputToken = &InputBuffers->pBuffers[Index]; Status = LsaFunctions->MapBuffer(InputToken,InputToken); break; } }
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to map Input token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// Check to see if we were passed channel bindings
//
for ( Index = 0; Index < InputBuffers->cBuffers; Index++ ) { if( BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_CHANNEL_BINDINGS ) { Status = LsaFunctions->MapBuffer( &InputBuffers->pBuffers[Index], &InputBuffers->pBuffers[Index] );
if( !NT_SUCCESS(Status) ) { goto Cleanup; }
pChannelBindings = (PSEC_CHANNEL_BINDINGS) InputBuffers->pBuffers[Index].pvBuffer;
Status = KerbValidateChannelBindings(pChannelBindings, InputBuffers->pBuffers[Index].cbBuffer);
if (!NT_SUCCESS(Status)) { pChannelBindings = NULL; goto Cleanup; }
break; } }
//
// Locate the output token
//
for (Index = 0; Index < OutputBuffers->cBuffers ; Index++ ) { if (BUFFERTYPE(OutputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN) { OutputToken = &OutputBuffers->pBuffers[Index]; Status = LsaFunctions->MapBuffer(OutputToken,OutputToken); break; } }
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to map output token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// If the context handle is no NULL we are finalizing a context
//
if (ContextHandle != 0) { if (InputToken == NULL) { D_DebugLog((DEB_ERROR,"Trying to complete a context with no input token! %ws, line %d\n", THIS_FILE, __LINE__)); Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// First reference the context.
//
Status = KerbReferenceContext( ContextHandle, FALSE, // don't unlink
&Context ); if (Context == NULL) { D_DebugLog((DEB_ERROR,"Failed to reference context 0x%x. %ws, line %d\n",ContextHandle, THIS_FILE, __LINE__)); goto Cleanup; }
//
// Check the mode of the context to make sure we can finalize it.
//
KerbReadLockContexts();
ContextState = Context->ContextState; if (((ContextState != ApReplySentState) && (ContextState != TgtReplySentState) && (ContextState != ErrorMessageSentState)) || ((Context->ContextAttributes & KERB_CONTEXT_INBOUND) == 0)) { D_DebugLog((DEB_ERROR,"Invalid context state: %d. %ws, line %d\n", Context->ContextState, THIS_FILE, __LINE__)); Status = STATUS_INVALID_HANDLE; KerbUnlockContexts(); goto Cleanup; }
if ((Context->ContextAttributes & KERB_CONTEXT_USED_SUPPLIED_CREDS) != 0) { UseSuppliedCreds = TRUE; }
ContextFlags = Context->ContextFlags; LogonId = Context->LogonId; LocalCredentialHandle = Context->CredentialHandle; ClientProcess = Context->ClientProcess; KerbUnlockContexts(); }
if (CredentialHandle != 0) { if ((LocalCredentialHandle != 0) && (CredentialHandle != LocalCredentialHandle)) { D_DebugLog((DEB_ERROR,"Different cred handle passsed to subsequent call to AcceptSecurityContext: 0x%x instead of 0x%x. %ws, line %d\n", CredentialHandle, LocalCredentialHandle, THIS_FILE, __LINE__ )); Status = STATUS_WRONG_CREDENTIAL_HANDLE; goto Cleanup; } } else { CredentialHandle = LocalCredentialHandle; } //
// If we are finalizing a context, do that here
//
if (ContextState == ApReplySentState) { //
// If we are doing datgram, then the finalize is actually an AP request
//
if ((ContextFlags & ISC_RET_DATAGRAM) != 0) { //
// Get the logon session
//
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE ); if (LogonSession == NULL) { Status = STATUS_NO_SUCH_LOGON_SESSION; goto Cleanup; }
//
// If we are using supplied creds, get the credentials. Copy
// out the domain name so we can use it to verify the PAC.
//
Status = KerbReferenceCredential( LocalCredentialHandle, KERB_CRED_INBOUND, FALSE, // don't dereference
&Credential ); if (!NT_SUCCESS(Status)) { goto Cleanup; }
if (UseSuppliedCreds) { KerbReadLockLogonSessions(LogonSession); Status = KerbDuplicateString( &ServiceDomain, &Credential->SuppliedCredentials->DomainName ); KerbUnlockLogonSessions(LogonSession); } else { KerbReadLockLogonSessions(LogonSession); Status = KerbDuplicateString( &ServiceDomain, &LogonSession->PrimaryCredentials.DomainName ); KerbUnlockLogonSessions(LogonSession); } if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Verify the AP request
//
Status = KerbVerifyApRequest( Context, (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, LogonSession, Credential, UseSuppliedCreds, ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) == 0), &Request, &InternalTicket, &InternalAuthenticator, &SessionKey, &TicketKey, &ServerKey, &ContextFlags, &ContextAttribs, &KerbErr, pChannelBindings );
//
// We don't allow user-to-user recovery with datagram
//
if ((Status == STATUS_REPARSE_OBJECT) // this is a TGT request
|| ((Status == SEC_E_NO_CREDENTIALS) && (KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED))) { DebugLog((DEB_ERROR, "Won't allow user2user with Datagram. %ws, line %d\n", THIS_FILE, __LINE__)); Status = SEC_E_INVALID_TOKEN; KerbErr = KRB_AP_ERR_MSG_TYPE; goto ErrorReturn; }
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR, "Failed to verify AP request: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__));
//
// Let the skew tracker know about the failure
//
if (KerbErr == KRB_AP_ERR_SKEW) { KerbUpdateSkewTime(TRUE); }
//
// Go to ErrorReturn so we can return an error message
//
goto ErrorReturn; }
//
// Turn on the flag if it was called for
//
if ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) != 0) { ContextFlags |= ASC_RET_ALLOW_CONTEXT_REPLAY; }
//
// Record the success
//
KerbUpdateSkewTime(FALSE);
//
// Check if the caller wants to allow null sessions
//
if (((ContextFlags & ISC_RET_NULL_SESSION) != 0) && ((ContextRequirements & ASC_REQ_ALLOW_NULL_SESSION) == 0)) { D_DebugLog((DEB_ERROR,"Received null session but not allowed. %ws, line %d\n", THIS_FILE, __LINE__)); Status = STATUS_LOGON_FAILURE; goto Cleanup; }
//
// Save away the ReceiveNonce if it was provided
//
if ((InternalAuthenticator!= NULL) && ((InternalAuthenticator->bit_mask & KERB_AUTHENTICATOR_sequence_number_present) != 0)) {
//
// If the number is unsigned, convert it as unsigned. Otherwise
// convert as signed.
//
if (ASN1intxisuint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number)) { ReceiveNonce = ASN1intx2uint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number); } else { ReceiveNonce = (ULONG) ASN1intx2int32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number); } } else { ReceiveNonce = 0; }
//
// Authentication succeeded, so build a token
//
#ifdef DBG
InterlockedIncrement(&Token); // make sure we audit all token creation.
#endif
Status = KerbCreateTokenFromTicket( &LogonId, Request, InternalTicket, InternalAuthenticator, ContextFlags, &ServerKey, &ServiceDomain, &SessionKey, &LogonId, &UserSid, &TokenHandle, &ClientName, &ClientDomain, &ClientNetbiosDomain, &S4UDelegationInfo );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to create token from ticket: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__)); goto Cleanup; }
Status = KerbUpdateServerContext( Context, InternalTicket, Request, &SessionKey, &LogonId, &UserSid, ContextFlags, ContextAttribs, NegotiationInfo, Nonce, ReceiveNonce, &TokenHandle, &ClientName, &ClientDomain, &ClientNetbiosDomain, &ContextLifetime );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to create server context: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; } } else { //
// Now unpack the AP reply
//
Status = KerbVerifyApReply( Context, (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, &Nonce ); if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to verify AP reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// We're done - we finalized.
//
Status = STATUS_SUCCESS;
if (OutputToken != NULL) { OutputToken->cbBuffer = 0; } }
KerbReadLockContexts(); *ContextAttributes = KerbMapContextFlags(Context->ContextFlags);
KerbUtcTimeToLocalTime( ExpirationTime, &Context->Lifetime );
if (OutputToken != NULL) { OutputToken->cbBuffer = 0; }
*NewContextHandle = ContextHandle; KerbUnlockContexts();
goto Cleanup; // datagram and finalized contexts exit here.
}
//
// Get the associated credential
//
Status = KerbReferenceCredential( CredentialHandle, KERB_CRED_INBOUND, FALSE, &Credential );
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_WARN,"Failed to locate credential 0x%x\n",Status)); goto Cleanup; }
//
// Get the logon id from the credentials so we can locate the
// logon session.
//
LogonId = Credential->LogonId;
//
// Get the logon session
//
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE ); if (LogonSession == NULL) { Status = STATUS_NO_SUCH_LOGON_SESSION; goto Cleanup; }
KerbReadLockLogonSessions(LogonSession); if ((Credential->CredentialFlags & KERB_CRED_LOCAL_ACCOUNT) != 0) { D_DebugLog((DEB_WARN, "Trying to use a local logon session with Kerberos\n")); KerbUnlockLogonSessions(LogonSession); Status = SEC_E_NO_CREDENTIALS; goto Cleanup; }
if (Credential->SuppliedCredentials != NULL) { UseSuppliedCreds = TRUE; ContextAttribs |= KERB_CONTEXT_USED_SUPPLIED_CREDS; Status = KerbDuplicateString( &ServiceDomain, &Credential->SuppliedCredentials->DomainName );
} else { Status = KerbDuplicateString( &ServiceDomain, &LogonSession->PrimaryCredentials.DomainName ); }
#if DBG
D_DebugLog((DEB_TRACE_CTXT, "SpAcceptLsaModeContext: Accepting context for %wZ\\%wZ\n", &LogonSession->PrimaryCredentials.DomainName, &LogonSession->PrimaryCredentials.UserName ));#endif
KerbUnlockLogonSessions(LogonSession);
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// If datagram was requested, note it now. There is no input
// buffer on the first call using datagram.
//
if ((ContextRequirements & ASC_REQ_DATAGRAM) != 0) { D_DebugLog((DEB_TRACE_CTXT2, "Accepting datagram first call\n"));
//
// Verify that there is no input token or it is small. RPC passes
// in two bytes for the DEC package that we can ignore.
//
if ((InputToken != NULL) && (InputToken->cbBuffer > 4)) { D_DebugLog((DEB_WARN, "Non null input token passed to AcceptSecurityContext for datagram\n")); Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
ContextFlags |= ISC_RET_DATAGRAM; ReceiveNonce = 0;
//
// Build a server context
//
Status = KerbCreateEmptyContext( Credential, ContextFlags, ContextAttribs, NegotiationInfo, &LogonId, &Context, &ContextLifetime );
if (!NT_SUCCESS(Status)) { D_DebugLog((DEB_ERROR,"Failed to create server context: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
if (OutputToken != NULL) { OutputToken->cbBuffer = 0; } } else { D_DebugLog((DEB_TRACE_CTXT2, "Accepting connection first call\n"));
//
// Unmarshall the AP request
//
if ((InputToken == NULL) || (InputToken->cbBuffer == 0)) { D_DebugLog((DEB_WARN, "Null input token passed to AcceptSecurityContext for datagram\n")); Status = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Verify the AP request
//
Status = KerbVerifyApRequest( Context, (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, LogonSession, Credential, UseSuppliedCreds, ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) == 0), &Request, &InternalTicket, &InternalAuthenticator, &SessionKey, &TicketKey, &ServerKey, &ContextFlags, &ContextAttribs, &KerbErr, pChannelBindings );
if (!NT_SUCCESS(Status)) { //
// Track time skew errors
//
if ((KerbErr == KRB_AP_ERR_SKEW) || (KerbErr == KRB_AP_ERR_TKT_NYV)) { KerbUpdateSkewTime(TRUE); }
DebugLog((DEB_WARN, "Failed to verify AP request (need u2u? %s): %#x. %ws, line %d\n", KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED ? "true" : "false", Status, THIS_FILE, __LINE__));
goto ErrorReturn; }
ContextFlags |= ISC_RET_CONNECTION;
//
// Check if this was a user-to-user tgt request. If so, then
// there was no AP request
//
if (Status == STATUS_REPARSE_OBJECT) { IsTgtRequest = TRUE;
Status = KerbHandleTgtRequest( LogonSession, Credential, UseSuppliedCreds, (PUCHAR) InputToken->pvBuffer, InputToken->cbBuffer, ContextRequirements, OutputToken, &LogonId, ContextAttributes, &Context, &ContextLifetime, &KerbErr );
if (!NT_SUCCESS(Status)) { goto ErrorReturn; }
ContextFlags |= ISC_RET_USE_SESSION_KEY;
D_DebugLog((DEB_TRACE_U2U, "SpAcceptLsaModeContext handled TGT request and use_session_key set, ContextAttributes %#x\n", Context->ContextAttributes)); } else // not a user-to-user request
{ //
// Track successful time if this wasn't an error recovery
//
if (ContextState != ErrorMessageSentState) { KerbUpdateSkewTime(FALSE); } if ((InternalAuthenticator != NULL) && (InternalAuthenticator->bit_mask & KERB_AUTHENTICATOR_sequence_number_present)) { //
// If the number is unsigned, convert it as unsigned. Otherwise
// convert as signed.
//
if (ASN1intxisuint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number)) { ReceiveNonce = ASN1intx2uint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number); } else { ReceiveNonce = (ULONG) ASN1intx2int32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number); } } else { ReceiveNonce = 0; }
//
// Initialize the opposite direction nonce to the same value
//
Nonce = ReceiveNonce;
//
// Turn on the flag if it was called for
//
if ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) != 0) { ContextFlags |= ASC_RET_ALLOW_CONTEXT_REPLAY; }
//
// Check if the caller wants to allow null sessions
//
if (((ContextFlags & ISC_RET_NULL_SESSION) != 0) && ((ContextRequirements & ASC_REQ_ALLOW_NULL_SESSION) == 0)) { D_DebugLog((DEB_ERROR,"Received null session but not allowed. %ws, line %d\n", THIS_FILE, __LINE__)); Status = STATUS_LOGON_FAILURE; goto Cleanup; }
//
// Authentication succeeded, so build a token
//
D_DebugLog((DEB_TRACE_CTXT2, "AcceptLsaModeContext: Creating token from ticket\n"));#ifdef DBG
InterlockedIncrement(&Token); // make sure we audit all token creation
#endif
Status = KerbCreateTokenFromTicket( &LogonId, Request, InternalTicket, InternalAuthenticator, ContextFlags, &ServerKey, &ServiceDomain, &SessionKey, &LogonId, &UserSid, &TokenHandle, &ClientName, &ClientDomain, &ClientNetbiosDomain, &S4UDelegationInfo );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to create token from ticket: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__)); goto Cleanup; }
//
// If the caller wants mutual authentication, build an AP reply
//
if (((ContextFlags & ISC_RET_MUTUAL_AUTH) != 0) || ((ContextFlags & ISC_RET_USED_DCE_STYLE) != 0)) { //
// We require an output token in this case.
//
if (OutputToken == NULL) { Status = SEC_E_INVALID_TOKEN; DebugLog((DEB_ERROR,"SpAcceptLsaModeContext encountered null output token\n")); goto Cleanup; }
//
// Build the reply message
//
D_DebugLog((DEB_TRACE_CTXT2,"SpAcceptLsaModeContext: Building AP reply\n")); Status = KerbBuildApReply( InternalAuthenticator, Request, ContextFlags, ContextAttribs, &TicketKey, &SessionKey, &Nonce, &Reply, &ReplySize );
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to build AP reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; }
if (OutputToken == NULL) { D_DebugLog((DEB_ERROR,"Output token missing. %ws, line %d\n", THIS_FILE, __LINE__)); Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
//
// Return the AP reply in the output buffer.
//
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0) { if (OutputToken->cbBuffer < ReplySize) { ULONG ErrorData[3];
ErrorData[0] = ReplySize; ErrorData[1] = OutputToken->cbBuffer; ErrorData[2] = ClientProcess;
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n", OutputToken->cbBuffer,ReplySize, THIS_FILE, __LINE__ )); OutputToken->cbBuffer = ReplySize; Status = STATUS_BUFFER_TOO_SMALL;
KerbReportNtstatus( KERBEVT_INSUFFICIENT_TOKEN_SIZE, Status, NULL, 0, ErrorData, 3 );
goto Cleanup; }
RtlCopyMemory( OutputToken->pvBuffer, Reply, ReplySize ); } else { OutputToken->pvBuffer = Reply; Reply = NULL; *ContextAttributes |= ASC_RET_ALLOCATED_MEMORY; }
OutputToken->cbBuffer = ReplySize; } else { if (OutputToken != NULL) { OutputToken->cbBuffer = 0; } }
//
// Build a server context if we don't already have one.
//
//
// Turn on the flag if it was called for
//
if ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) != 0) { ContextFlags |= ASC_RET_ALLOW_CONTEXT_REPLAY; }
if (Context == NULL) { Status = KerbCreateServerContext( LogonSession, Credential, InternalTicket, Request, &SessionKey, &LogonId, &UserSid, ContextFlags, ContextAttribs, NegotiationInfo, Nonce, ReceiveNonce, &TokenHandle, &ClientName, &ClientDomain, &ClientNetbiosDomain, &Context, &ContextLifetime ); } else { //
// Update an existing context
//
Status = KerbUpdateServerContext( Context, InternalTicket, Request, &SessionKey, &LogonId, &UserSid, ContextFlags, ContextAttribs, NegotiationInfo, Nonce, ReceiveNonce, &TokenHandle, &ClientName, &ClientDomain, &ClientNetbiosDomain, &ContextLifetime ); }
if (!NT_SUCCESS(Status)) { DebugLog((DEB_ERROR,"Failed to create or update server context: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__)); goto Cleanup; } } // not a TGT request
} // not datagram
*NewContextHandle = KerbGetContextHandle(Context); KerbUtcTimeToLocalTime( ExpirationTime, &ContextLifetime );
#if DBG
KerbReadLockContexts(); ClientProcess = Context->ClientProcess; KerbUnlockContexts();#endif // DBG
*ContextAttributes |= KerbMapContextFlags(ContextFlags);
if (IsTgtRequest || (((ContextFlags & ISC_RET_USED_DCE_STYLE) != 0) || ((ContextFlags & ISC_RET_DATAGRAM) != 0))) { Status = SEC_I_CONTINUE_NEEDED; }
goto Cleanup;
ErrorReturn:
//
// Generate a KERB_ERROR message if necessary, meaning that there was
// an authentication failure.
//
if ((OutputToken != NULL ) && (!KERB_SUCCESS(KerbErr) || ((ContextRequirements & ASC_REQ_EXTENDED_ERROR) != 0) || ((ContextFlags & ISC_RET_EXTENDED_ERROR) != 0))) { NTSTATUS TempStatus; PBYTE ErrorMessage = NULL; ULONG ErrorMessageSize; PBYTE ErrorData = NULL; ULONG ErrorDataSize = 0;
//
// Check whether it is an error we want the client to retry on.
// For datagram, we can't handle this.
//
if (ContextRequirements & ASC_REQ_DATAGRAM) { goto Cleanup; } if (!(((ContextRequirements & ASC_REQ_EXTENDED_ERROR) != 0) || (KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED) || (KerbErr == KRB_AP_ERR_SKEW) || (KerbErr == KRB_AP_ERR_TKT_NYV) || (KerbErr == KRB_AP_ERR_TKT_EXPIRED) || (KerbErr == KRB_AP_ERR_MODIFIED) )) { goto Cleanup; }
//
// Create an empty context that can be used later
//
if (Context == NULL) { TempStatus = KerbCreateEmptyContext( Credential, ContextFlags, ContextAttribs, NegotiationInfo, &LogonId, &Context, &ContextLifetime ); if (!NT_SUCCESS(TempStatus)) { goto Cleanup; } }
//
// if the error code is one with error data, build the error data
//
switch ((UINT_PTR) KerbErr) { case (UINT_PTR) KRB_AP_ERR_USER_TO_USER_REQUIRED: NTSTATUS TempStatus;
//
// KerbBuildTgtErrorReply shall fail if neither TGTs nor longer secrets are available
//
TempStatus = KerbBuildTgtErrorReply( LogonSession, Credential, UseSuppliedCreds, Context, &ErrorDataSize, &ErrorData );
D_DebugLog((DEB_TRACE_U2U, "SpAcceptLsaModeContext called KerbBuildTgtErrorReply %#x\n", TempStatus));
if (TempStatus == STATUS_USER2USER_REQUIRED) { KerbErr = KRB_AP_ERR_NO_TGT; } else if (!NT_SUCCESS(TempStatus)) { D_DebugLog((DEB_ERROR, "Failed to build tgt error reply: 0x%x. Ignoring. %ws, line %d\n", TempStatus, THIS_FILE, __LINE__)); }
break; case (UINT_PTR) KDC_ERR_NONE: //
// In this case, return the KRB_ERR_GENERIC and the NTSTATUS code
// in the error data
//
KerbErr = KRB_ERR_GENERIC; ErrorData = (PUCHAR) &Status; ErrorDataSize = sizeof(ULONG); break; }
TempStatus = KerbBuildGssErrorMessage( KerbErr, ErrorData, ErrorDataSize, Context, &ErrorMessageSize, &ErrorMessage );
if ((ErrorData != NULL) && (ErrorData != (PUCHAR) &Status)) { MIDL_user_free(ErrorData); }
if (!NT_SUCCESS(TempStatus)) { goto Cleanup; }
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0) { if (OutputToken->cbBuffer < ErrorMessageSize) { D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n", OutputToken->cbBuffer,ErrorMessageSize, THIS_FILE, __LINE__ )); MIDL_user_free(ErrorMessage); goto Cleanup; } else { DsysAssert(OutputToken->pvBuffer != NULL); RtlCopyMemory( OutputToken->pvBuffer, ErrorMessage, ErrorMessageSize ); OutputToken->cbBuffer = ErrorMessageSize; MIDL_user_free(ErrorMessage); } } else { DsysAssert(OutputToken->pvBuffer == NULL); OutputToken->cbBuffer = ErrorMessageSize; OutputToken->pvBuffer = ErrorMessage; ErrorMessage = NULL; *ContextAttributes |= ASC_RET_ALLOCATED_MEMORY; } *ContextAttributes |= ASC_RET_EXTENDED_ERROR;
*NewContextHandle = KerbGetContextHandle(Context); KerbUtcTimeToLocalTime( ExpirationTime, &ContextLifetime ); *ContextAttributes |= KerbMapContextFlags(ContextFlags);
LastStatus = Status;
//
// now it is time to mark the context as user2user
//
if (KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED) { DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext (TGT in error reply) USER2USER-INBOUND set\n"));
KerbWriteLockContexts() Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER; KerbUnlockContexts(); }
Status = SEC_I_CONTINUE_NEEDED; }
Cleanup: if( KerbEventTraceFlag ) // Event Trace: KerbAcceptSecurityContextEnd {Status, CredSource, DomainName, UserName, Target, (ExtError), (klininfo)}
{
PCWSTR TraceStrings[] = { L"CredMan", L"Supplied", L"Context", L"LogonSession", L"None" }; enum { TSTR_CREDMAN = 0, TSTR_SUPPLIED, TSTR_CONTEXT, TSTR_LOGONSESSION, TSTR_NONE }; UNICODE_STRING UNICODE_NONE = { 4*sizeof(WCHAR), 4*sizeof(WCHAR), L"NONE" };
UNICODE_STRING CredSource; PUNICODE_STRING trace_DomainName, trace_UserName, trace_target;
trace_target = (Context!=NULL) ? &Context->ServerPrincipalName : &UNICODE_NONE;
if( Context != NULL && Context->CredManCredentials != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CREDMAN] ); trace_DomainName = &Context->CredManCredentials->SuppliedCredentials->DomainName; trace_UserName = &Context->CredManCredentials->SuppliedCredentials->UserName; } else if( Credential != NULL && Credential->SuppliedCredentials != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_SUPPLIED] ); trace_DomainName = &Credential->SuppliedCredentials->DomainName; trace_UserName = &Credential->SuppliedCredentials->UserName; } else if( Context != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CONTEXT] ); trace_DomainName = &Context->ClientRealm; trace_UserName = &Context->ClientName; } else if( LogonSession != NULL ) { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_LOGONSESSION] ); trace_DomainName = &LogonSession->PrimaryCredentials.DomainName; trace_UserName = &LogonSession->PrimaryCredentials.UserName; } else { RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_NONE] ); trace_DomainName = &UNICODE_NONE; trace_UserName = &UNICODE_NONE; }
INSERT_ULONG_INTO_MOF( Status, AcceptSCTraceInfo.MofData, 0 ); INSERT_UNICODE_STRING_INTO_MOF( CredSource, AcceptSCTraceInfo.MofData, 1 ); INSERT_UNICODE_STRING_INTO_MOF( *trace_DomainName, AcceptSCTraceInfo.MofData, 3 ); INSERT_UNICODE_STRING_INTO_MOF( *trace_UserName, AcceptSCTraceInfo.MofData, 5 ); INSERT_UNICODE_STRING_INTO_MOF( *trace_target, AcceptSCTraceInfo.MofData, 7 ); AcceptSCTraceInfo.EventTrace.Size = sizeof(EVENT_TRACE_HEADER) + 9*sizeof(MOF_FIELD);
// Set trace parameters
AcceptSCTraceInfo.EventTrace.Guid = KerbAcceptSCGuid; AcceptSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_END; AcceptSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID | WNODE_FLAG_USE_MOF_PTR;
TraceEvent( KerbTraceLoggerHandle, (PEVENT_TRACE_HEADER)&AcceptSCTraceInfo ); }
if ((InternalTicket != NULL) && ((InternalTicket->bit_mask & KERB_ENCRYPTED_TICKET_client_addresses_present) != 0))
{ (VOID) KerbGetClientNetbiosAddress( &WorkstationName, InternalTicket->KERB_ENCRYPTED_TICKET_client_addresses ); }
//
// First, handle auditing
//
if (Status == STATUS_SUCCESS) { //
// The following generates a successful audit event.
// A new field (logon GUID) was added to this audit event.
//
// In order to send this new field to LSA, we had two options:
// 1) add new function (AuditLogonEx) to LSA dispatch table
// 2) define a private (LsaI) function to do the job
//
// option#2 was chosen because the logon GUID is a Kerberos only
// feature.
//
if (S4UDelegationInfo) { TransittedServices = (PLSA_ADT_STRING_LIST)KerbAllocate( sizeof(LSA_ADT_STRING_LIST) + sizeof(LSA_ADT_STRING_LIST_ENTRY) * S4UDelegationInfo->TransitedListSize);
if (TransittedServices) { PLSA_ADT_STRING_LIST_ENTRY Entry;
Entry = (PLSA_ADT_STRING_LIST_ENTRY)&TransittedServices[1];
TransittedServices->cStrings = S4UDelegationInfo->TransitedListSize; TransittedServices->Strings = Entry;
for (ULONG i = 0; i < S4UDelegationInfo->TransitedListSize; i++) { Entry->Flags = 0; Entry->String.Length = S4UDelegationInfo->S4UTransitedServices[i].Length; Entry->String.MaximumLength = S4UDelegationInfo->S4UTransitedServices[i].MaximumLength; Entry->String.Buffer = S4UDelegationInfo->S4UTransitedServices[i].Buffer; Entry++; } } }
DsysAssert(Context);
(void) KerbAuditLogon( Status, Status, Context, &WorkstationName, &LogonId, TransittedServices );
#ifdef DBG
InterlockedIncrement(&Audits);#endif
} else if (!NT_SUCCESS(Status) || (LastStatus != STATUS_SUCCESS)) { PUNICODE_STRING Wks = ((WorkstationName.Length) ? &WorkstationName : NULL);
if (Context != NULL) { LsaFunctions->AuditLogon( STATUS_LOGON_FAILURE, (LastStatus != STATUS_SUCCESS) ? LastStatus : Status, &Context->ClientName, &Context->ClientRealm, Wks, NULL, // no sid instead of a bogus one
Network, &KerberosSource, &LogonId ); } else { UNICODE_STRING EmptyString = NULL_UNICODE_STRING;
LsaFunctions->AuditLogon( (LastStatus != STATUS_SUCCESS) ? LastStatus : Status, STATUS_SUCCESS, &EmptyString, &EmptyString, Wks, NULL, Network, &KerberosSource, &LogonId ); } }
if (Context != NULL) { if (!NT_SUCCESS(Status)) { //
// Only unlink the context if we just created it.
//
if (ContextHandle == 0) { KerbReferenceContextByPointer( Context, TRUE ); KerbDereferenceContext(Context); } else { //
// Set the context to an invalid state.
//
KerbWriteLockContexts(); Context->ContextState = InvalidState; KerbUnlockContexts(); } } else { KerbWriteLockContexts(); if (Status == STATUS_SUCCESS) { Context->ContextState = AuthenticatedState; } else { if ((*ContextAttributes & ASC_RET_EXTENDED_ERROR) != 0) { Context->ContextState = ErrorMessageSentState; } else if (!IsTgtRequest) { Context->ContextState = ApReplySentState; } else { //
// else the HandleTgtRequest set the state
//
DsysAssert(Context->ContextState == TgtReplySentState); } } KerbUnlockContexts(); } KerbDereferenceContext(Context); }
if (Status == STATUS_SUCCESS) { //
// On real success we map the context to the callers address
// space.
//
Status = KerbMapContext( Context, MappedContext, ContextData );
DebugLog((DEB_TRACE, "SpAcceptLsaModeContext called KerbMapContext ContextAttributes %#x, %#x\n", Context->ContextAttributes, Status)); }
if (LogonSession != NULL) { KerbDereferenceLogonSession( LogonSession ); }
if (Credential != NULL) { KerbDereferenceCredential( Credential ); }
if (InternalTicket != NULL) { KerbFreeTicket( InternalTicket ); } if (InternalAuthenticator != NULL) { KerbFreeAuthenticator(InternalAuthenticator); } if (Request != NULL) { KerbFreeApRequest(Request); }
if (Reply != NULL) { KerbFree(Reply); } KerbFreeKey(&SessionKey); KerbFreeKey(&ServerKey);
if (UserSid != NULL) { KerbFree(UserSid); }
//
// If there was a problem with the context or AP reply, the TokenHandle
// will not be reset to NULL. If it is NULL, close it so we don't leak
//
if ( TokenHandle != NULL ) { D_DebugLog(( DEB_TRACE, "Closing token handle because context creation failed (%x)\n", Status ));
NtClose( TokenHandle ); }
//
// Update performance counter
//
#ifndef WIN32_CHICAGO
if (ContextHandle == 0) { I_SamIIncrementPerformanceCounter(KerbServerContextCounter); }#endif // WIN32_CHICAGO
KerbFreeKey(&TicketKey); KerbFreeString(&ServiceDomain); KerbFreeString(&ClientDomain); KerbFreeString(&ClientNetbiosDomain); KerbFreeString(&ClientName); KerbFreeString(&WorkstationName);
if (TransittedServices) { KerbFree(TransittedServices); }
if (S4UDelegationInfo) {#if DBG
D_DebugLog((DEB_TRACE_S4U, "SpAcceptLsaModeContext target %wZ\n", &S4UDelegationInfo->S4U2proxyTarget)); for ( ULONG i = 0; i < S4UDelegationInfo->TransitedListSize; i++ ) { D_DebugLog((DEB_TRACE_S4U, "SpAcceptLsaModeContext ts %#x: %wZ\n", i, &S4UDelegationInfo->S4UTransitedServices[i])); }#endif // DBG
MIDL_user_free(S4UDelegationInfo); }
D_DebugLog((DEB_TRACE_LEAKS,"SpAcceptLsaModeContext returned 0x%x, Context 0x%x, Pid 0x%x\n",KerbMapKerbNtStatusToNtStatus(Status), *NewContextHandle, ClientProcess)); D_DebugLog((DEB_TRACE_API, "SpAcceptLsaModeContext (%p) returned 0x%x\n", Context, KerbMapKerbNtStatusToNtStatus(Status))); // fester
return (KerbMapKerbNtStatusToNtStatus(Status));}#endif WIN32_CHICAGO //we don't do server side stuff
|
