/*++ Copyright (c) 1997-1999 Microsoft Corporation Module Name: efs.c Abstract: EFS (Encrypting File System) API Interfaces Author: Robert Reichel (RobertRe) Robert Gu (RobertG) Environment: Revision History: --*/ #undef WIN32_LEAN_AND_MEAN #include "advapi.h" #include #include #define FE_CLIENT_DLL L"feclient.dll" // // Global Variables // LPFE_CLIENT_INFO FeClientInfo = NULL; HMODULE FeClientModule = NULL; CRITICAL_SECTION FeClientLoadCritical; LPWSTR GetFeClientDll( VOID ) /*++ Routine Description: This routine obtains the name of the currently installed client encryption dll (which is currently hardcoded). Arguments: None. Return Value: Returns the name of the current DLL, or NULL on error. --*/ { return( FE_CLIENT_DLL ); } BOOL LoadAndInitFeClient( VOID ) /*++ Routine Description: This routine finds the name of the proper client dll (by some as of yet unspecified means) and proceeds to load it and initialize it. Arguments: None. Return Value: TRUE on success, FALSE on failure. Callers may call GetLastError() for more error information. --*/ { LPWSTR FeClientDllName; LPFEAPI_CLIENT_INITIALIZE ClientInitRoutine; BOOL Inited; // // GetFeClientDll returns a hard coded name. // If we get this name dynamically later, we will // need to free FeClientDllName. // FeClientDllName = GetFeClientDll(); EnterCriticalSection(&FeClientLoadCritical); if (FeClientInfo) { LeaveCriticalSection(&FeClientLoadCritical); return( TRUE ); } if (FeClientDllName) { FeClientModule = LoadLibraryW( FeClientDllName ); if (FeClientModule == NULL) { DbgPrint("Unable to load client dll, error = %d\n",GetLastError()); LeaveCriticalSection(&FeClientLoadCritical); return( FALSE ); } } ClientInitRoutine = (LPFEAPI_CLIENT_INITIALIZE) GetProcAddress( FeClientModule, (LPCSTR)"FeClientInitialize"); if (NULL == ClientInitRoutine) { FreeLibrary( FeClientModule ); DbgPrint("Unable to locate init routine, error = %d\n",GetLastError()); LeaveCriticalSection(&FeClientLoadCritical); return( FALSE ); } Inited = (*ClientInitRoutine)( FE_REVISION_1_0, &FeClientInfo ); LeaveCriticalSection(&FeClientLoadCritical); if (!Inited) { FreeLibrary( FeClientModule ); return( FALSE ); } return( TRUE ); } BOOL WINAPI EncryptFileA ( LPCSTR lpFileName ) /*++ Routine Description: ANSI Stub to EncryptFileW Arguments: lpFileName - The name of the file to be encrypted. Return Value: TRUE on success, FALSE on failure. Callers may call GetLastError() for more information. --*/ { UNICODE_STRING Unicode; WCHAR UnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; ANSI_STRING AnsiString; NTSTATUS Status; Unicode.Length = 0; Unicode.MaximumLength = STATIC_UNICODE_BUFFER_LENGTH * sizeof( WCHAR ); Unicode.Buffer = UnicodeBuffer; RtlInitAnsiString(&AnsiString,lpFileName); Status = RtlAnsiStringToUnicodeString(&Unicode,&AnsiString,FALSE); if ( !NT_SUCCESS(Status) ) { if ( Status == STATUS_BUFFER_OVERFLOW ) { SetLastError(ERROR_FILENAME_EXCED_RANGE); } else { BaseSetLastNTError(Status); } return FALSE; } return ( EncryptFileW( Unicode.Buffer )); } BOOL WINAPI EncryptFileW ( LPCWSTR lpFileName ) /*++ Routine Description: Win32 EncryptFile API Arguments: lpFileName - Supplies the name of the file to be encrypted. Return Value: TRUE on success, FALSE on failure. Callers may call GetLastError() for more information. --*/ { BOOL rc; DWORD Result; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } Result = FeClientInfo->lpServices->EncryptFile( lpFileName ); if (ERROR_SUCCESS != Result) { SetLastError( Result ); return( FALSE ); } return( TRUE ); } BOOL WINAPI DecryptFileA ( IN LPCSTR lpFileName, IN DWORD dwRecovery ) /*++ Routine Description: ANSI Stub for the DecryptFileW API Arguments: lpFileName - Supplies the name of the file to be decrypted. dwRecover - Supplies whether this is a recovery operation or a normal decryption operation. Return Value: TRUE on success, FALSE on failure. Callers may call GetLastError() for more information. --*/ { UNICODE_STRING Unicode; WCHAR UnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; ANSI_STRING AnsiString; NTSTATUS Status; Unicode.Length = 0; Unicode.MaximumLength = STATIC_UNICODE_BUFFER_LENGTH * sizeof( WCHAR ); Unicode.Buffer = UnicodeBuffer; RtlInitAnsiString(&AnsiString,lpFileName); Status = RtlAnsiStringToUnicodeString(&Unicode,&AnsiString,FALSE); if ( !NT_SUCCESS(Status) ) { if ( Status == STATUS_BUFFER_OVERFLOW ) { SetLastError(ERROR_FILENAME_EXCED_RANGE); } else { BaseSetLastNTError(Status); } return FALSE; } return ( DecryptFileW( Unicode.Buffer, dwRecovery )); } BOOL WINAPI DecryptFileW ( IN LPCWSTR lpFileName, IN DWORD dwRecovery ) /*++ Routine Description: Win32 DecryptFile API Arguments: lpFileName - Supplies the name of the file to be encrypted. Return Value: TRUE on success, FALSE on failure. Callers may call GetLastError() for more information. --*/ { BOOL rc; DWORD Result; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } Result = FeClientInfo->lpServices->DecryptFile( lpFileName, dwRecovery ); if (ERROR_SUCCESS != Result) { SetLastError( Result ); return( FALSE ); } return( TRUE ); } BOOL WINAPI FileEncryptionStatusA ( LPCSTR lpFileName, LPDWORD lpStatus ) /*++ Routine Description: ANSI Stub to FileEncryptionStatusW Arguments: lpFileName - The name of the file to be checked. lpStatus - The status of the file. Return Value: TRUE on success, FALSE on failure. Callers may call GetLastError() for more information. --*/ { ANSI_STRING AnsiString; NTSTATUS Status; UNICODE_STRING Unicode; WCHAR UnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; Unicode.Length = 0; Unicode.MaximumLength = STATIC_UNICODE_BUFFER_LENGTH * sizeof( WCHAR ); Unicode.Buffer = UnicodeBuffer; RtlInitAnsiString(&AnsiString,lpFileName); Status = RtlAnsiStringToUnicodeString(&Unicode,&AnsiString,FALSE); if ( !NT_SUCCESS(Status) ) { if ( Status == STATUS_BUFFER_OVERFLOW ) { SetLastError(ERROR_FILENAME_EXCED_RANGE); } else { BaseSetLastNTError(Status); } return FALSE; } return ( FileEncryptionStatusW( Unicode.Buffer, lpStatus )); } BOOL WINAPI FileEncryptionStatusW ( LPCWSTR lpFileName, LPDWORD lpStatus ) /*++ Routine Description: Win32 FileEncryptionStatus API Arguments: lpFileName - Supplies the name of the file to be encrypted. lpStatus - The status of the file. Return Value: TRUE on success, FALSE on failure. Callers may call GetLastError() for more information. --*/ { BOOL rc; DWORD Result; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } return (FeClientInfo->lpServices->FileEncryptionStatus( lpFileName, lpStatus )); } DWORD WINAPI OpenEncryptedFileRawA( LPCSTR lpFileName, ULONG Flags, PVOID * Context ) { ANSI_STRING AnsiString; NTSTATUS Status; UNICODE_STRING Unicode; WCHAR UnicodeBuffer[STATIC_UNICODE_BUFFER_LENGTH]; Unicode.Length = 0; Unicode.MaximumLength = STATIC_UNICODE_BUFFER_LENGTH * sizeof( WCHAR ); Unicode.Buffer = UnicodeBuffer; RtlInitAnsiString(&AnsiString,lpFileName); Status = RtlAnsiStringToUnicodeString(&Unicode,&AnsiString,FALSE); if ( !NT_SUCCESS(Status) ) { if ( Status == STATUS_BUFFER_OVERFLOW ) { SetLastError(ERROR_FILENAME_EXCED_RANGE); } else { BaseSetLastNTError(Status); } return FALSE; } return ( OpenEncryptedFileRawW( Unicode.Buffer, Flags, Context )); } DWORD WINAPI OpenEncryptedFileRawW( LPCWSTR lpFileName, ULONG Flags, PVOID * Context ) { BOOL rc; DWORD Result; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(GetLastError()); } } return (FeClientInfo->lpServices->OpenFileRaw( lpFileName, Flags, Context )); } DWORD WINAPI ReadEncryptedFileRaw( PFE_EXPORT_FUNC ExportCallback, PVOID CallbackContext, PVOID Context ) { // // It doesn't make sense to call this before calling OpenRaw, so don't // bother checking to see if the module is loaded or not. We'll fault // in the user process if it isn't. // return (FeClientInfo->lpServices->ReadFileRaw( ExportCallback, CallbackContext, Context )); } DWORD WINAPI WriteEncryptedFileRaw( PFE_IMPORT_FUNC ImportCallback, PVOID CallbackContext, PVOID Context ) { // // It doesn't make sense to call this before calling OpenRaw, so don't // bother checking to see if the module is loaded or not. We'll fault // in the user process if it isn't. // return (FeClientInfo->lpServices->WriteFileRaw( ImportCallback, CallbackContext, Context )); } VOID WINAPI CloseEncryptedFileRaw( PVOID Context ) { FeClientInfo->lpServices->CloseFileRaw( Context ); return; } DWORD QueryUsersOnEncryptedFile( IN LPCWSTR lpFileName, OUT PENCRYPTION_CERTIFICATE_HASH_LIST * pUsers ) /*++ Routine Description: Win32 interface for adding users to an encrypted file. Arguments: lpFileName - Supplies the name of the file to be modified. pUsers - Returns a list of users on the file. This parameter must be passed to FreeEncryptionCertificateHashList() when no longer needed. Return Value: Win32 error. --*/ { DWORD rc; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } if ((lpFileName != NULL) && (pUsers != NULL)) { return(FeClientInfo->lpServices->QueryUsers( lpFileName, pUsers )); } else { return( ERROR_INVALID_PARAMETER ); } } VOID FreeEncryptionCertificateHashList( IN PENCRYPTION_CERTIFICATE_HASH_LIST pUsers ) /*++ Routine Description: Frees a certificate hash list as returned by QueryUsersOnEncryptedFile() and QueryRecoveryAgentsOnEncryptedFile(). Arguments: Supplies a list of users returned from QueryUsersOnEncryptedFile(). Return Value: Win32 error. --*/ { // // It is probably safe to assume that feclient.dll is loaded, // since we wouldn't have one of these structures to free // if it weren't. // if (pUsers != NULL) { FeClientInfo->lpServices->FreeCertificateHashList( pUsers ); } else { // // nothing to do // } return; } DWORD QueryRecoveryAgentsOnEncryptedFile( IN LPCWSTR lpFileName, OUT PENCRYPTION_CERTIFICATE_HASH_LIST * pRecoveryAgents ) /*++ Routine Description: This routine returns a list of recovery agents on an encrypted file. Arguments: lpFileName - Supplies the name of the file to be examined. pRecoveryAgents - Returns a list of recovery agents, represented by certificate hashes on the file. This list should be freed by calling FreeEncryptionCertificateHashList(). Return Value: return-value - Description of conditions needed to return value. - or - None. --*/ { DWORD rc; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } if ((lpFileName != NULL) && (pRecoveryAgents != NULL)) { return(FeClientInfo->lpServices->QueryRecoveryAgents( lpFileName, pRecoveryAgents )); } else { return( ERROR_INVALID_PARAMETER ); } } DWORD RemoveUsersFromEncryptedFile( IN LPCWSTR lpFileName, IN PENCRYPTION_CERTIFICATE_HASH_LIST pHashes ) /*++ Routine Description: Takes a list of certificate hashes to be removed from the passed file. Any that are found are removed, the rest are ignored with no error return. Arguments: lpFileName - Supplies the name of the file to be modified. pHashes - Supplies the list of hashes to be removed. Return Value: Win32 Error --*/ { DWORD rc; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } if ((lpFileName != NULL) && (pHashes != NULL)) { return(FeClientInfo->lpServices->RemoveUsers( lpFileName, pHashes )); } else { return( ERROR_INVALID_PARAMETER ); } } DWORD AddUsersToEncryptedFile( IN LPCWSTR lpFileName, IN PENCRYPTION_CERTIFICATE_LIST pEncryptionCertificates ) /*++ Routine Description: This routine adds user keys to the passed encrypted file. Arguments: lpFileName - Supplies the name of the file to be encrypted. pEncryptionCertificates - Supplies the list of certificates for new users to be added to the file. Return Value: Win32 Error --*/ { DWORD rc; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } if ((lpFileName != NULL) && (pEncryptionCertificates != NULL)) { return(FeClientInfo->lpServices->AddUsers( lpFileName, pEncryptionCertificates )); } else { return( ERROR_INVALID_PARAMETER ); } } DWORD SetUserFileEncryptionKey( PENCRYPTION_CERTIFICATE pEncryptionCertificate ) /*++ Routine Description: This routine will set the user's current EFS key to the one contained in the passed certificate. If no certificate is passed, a new key will be generated automatically. Arguments: pEncryptionCertificate - Optionally supplies the certificate containing the new public key. Return Value: Win32 error --*/ { DWORD rc; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } return(FeClientInfo->lpServices->SetKey( pEncryptionCertificate )); /* if (pEncryptionCertificate != NULL) { return(FeClientInfo->lpServices->SetKey( pEncryptionCertificate )); } else { return( ERROR_INVALID_PARAMETER ); }*/ } DWORD DuplicateEncryptionInfoFile( IN LPCWSTR SrcFileName, IN LPCWSTR DstFileName, IN DWORD dwCreationDistribution, IN DWORD dwAttributes, IN CONST LPSECURITY_ATTRIBUTES lpSecurityAttributes ) /*++ Routine Description: This routine duplicates the encryption information from the source file to the destination file. Destination file will be created if not existing. The destination file is overwritten. Arguments: SrcFileName - Supplies the source of the encryption information. DstFileName - Supplies the target file, exclusive open is required on this file. dwCreationDistribution - Create options. If dwCreationDistribution != CREATE_NEW, dwCreationDistribution = CREATE_ALWAYS dwAttributes - File attributes. lpSecurityAttributes - Security attributes. Return Value: Win32 error on failure. --*/ { DWORD rc; if (FeClientModule == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } if (SrcFileName && DstFileName) { return(FeClientInfo->lpServices->DuplicateEncryptionInfo( SrcFileName, DstFileName, dwCreationDistribution, dwAttributes, lpSecurityAttributes )); } else { return( ERROR_INVALID_PARAMETER ); } } BOOL WINAPI EncryptionDisable( IN LPCWSTR DirPath, IN BOOL Disable ) /*++ Routine Description: This routine disable and enable EFS in the directory DirPath. Arguments: DirPath - Directory path. Disable - TRUE to disable Return Value: TRUE for SUCCESS --*/ { DWORD rc; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } return(FeClientInfo->lpServices->DisableDir( DirPath, Disable )); } WINADVAPI DWORD WINAPI EncryptedFileKeyInfo( IN LPCWSTR lpFileName, IN DWORD InfoClass, OUT PEFS_RPC_BLOB * KeyInfo ) /*++ Routine Description: Win32 interface for adding users to an encrypted file. Arguments: lpFileName - Supplies the name of the file to be modified. InfoClass - Information requested. Only support 1 for now. KeyInfo - Returns Key info Return Value: Win32 error. --*/ { DWORD rc; // // See if the module has been loaded, and if not, load it into this // process. // if (FeClientInfo == NULL) { rc = LoadAndInitFeClient(); if (!rc) { return(rc); } } if ((lpFileName != NULL) && (KeyInfo != NULL)) { return(FeClientInfo->lpServices->GetKeyInfo( lpFileName, InfoClass, KeyInfo )); } else { return( ERROR_INVALID_PARAMETER ); } } WINADVAPI VOID WINAPI FreeEncryptedFileKeyInfo( IN PEFS_RPC_BLOB pKeyInfo ) /*++ Routine Description: Frees a KeyInfo as returned by EncryptedFileKeyInfo(); Arguments: pKeyInfo - Supplies a KeyInfo returned from EncryptedFileKeyInfo(). Return Value: No. --*/ { // // It is probably safe to assume that feclient.dll is loaded, // since we wouldn't have one of these structures to free // if it weren't. // if (pKeyInfo != NULL) { FeClientInfo->lpServices->FreeKeyInfo( pKeyInfo ); } else { // // nothing to do // } return; }