You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4592 lines
148 KiB
4592 lines
148 KiB
//+-----------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (c) Microsoft Corporation 1992 - 1996
|
|
//
|
|
// File: ctxtapi.cxx
|
|
//
|
|
// Contents: Context APIs for Kerberos package
|
|
//
|
|
//
|
|
// History: 16-April-1996 Created MikeSw
|
|
// 26-Sep-1998 ChandanS
|
|
// Added more debugging support etc.
|
|
//
|
|
//------------------------------------------------------------------------
|
|
|
|
#include <kerb.hxx>
|
|
#include <kerbp.h>
|
|
#include "kerbevt.h"
|
|
#include <gssapip.h>
|
|
#include <krbaudit.h>
|
|
|
|
#ifdef RETAIL_LOG_SUPPORT
|
|
static TCHAR THIS_FILE[]=TEXT(__FILE__);
|
|
#endif
|
|
UNICODE_STRING KerbTargetPrefix = {sizeof(L"krb5://")-sizeof(WCHAR),sizeof(L"krb5://"),L"krb5://" };
|
|
|
|
|
|
#ifdef DBG
|
|
LONG Audits = 0;
|
|
LONG Token = 0;
|
|
#endif
|
|
|
|
#define FILENO FILENO_CTXTAPI
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpDeleteContext
|
|
//
|
|
// Synopsis: Deletes a Kerberos context
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ContextHandle - The context to delete
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS or STATUS_INVALID_HANDLE
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpDeleteContext(
|
|
IN LSA_SEC_HANDLE ContextHandle
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
PKERB_CONTEXT Context;
|
|
KERB_CONTEXT_STATE ContextState;
|
|
ULONG ClientProcess = 0;
|
|
|
|
D_DebugLog((DEB_TRACE_API,"SpDeleteContext 0x%x called\n",ContextHandle));
|
|
|
|
if (!KerbGlobalInitialized)
|
|
{
|
|
Status = STATUS_INVALID_SERVER_STATE;
|
|
Context = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Status = KerbReferenceContext(
|
|
ContextHandle,
|
|
TRUE, // unlink handle
|
|
&Context
|
|
);
|
|
|
|
if (Context == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"SpDeleteContext: Context 0x%x not located. %ws, line %d\n",ContextHandle, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
KerbReadLockContexts();
|
|
|
|
// Need to copy out the context data else we'll end up holding the lock
|
|
// for too long a time.
|
|
//
|
|
ContextState = Context->ContextState;
|
|
|
|
ClientProcess = Context->ClientProcess;
|
|
KerbUnlockContexts();
|
|
|
|
// If this was a context that was dropped in the middle,
|
|
// audit it as a logon failure.
|
|
//
|
|
|
|
if (ContextState == ApReplySentState)
|
|
{
|
|
LsaFunctions->AuditLogon(
|
|
STATUS_UNFINISHED_CONTEXT_DELETED,
|
|
STATUS_SUCCESS,
|
|
&Context->ClientName,
|
|
&Context->ClientRealm,
|
|
NULL, // no workstation
|
|
Context->UserSid,
|
|
Network,
|
|
&KerberosSource,
|
|
&Context->LogonId
|
|
);
|
|
}
|
|
#endif // WIN32_CHICAGO
|
|
|
|
//
|
|
// Now dereference the Context. If nobody else is using this Context
|
|
// currently it will be freed.
|
|
//
|
|
|
|
KerbDereferenceContext(Context);
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
|
|
D_DebugLog((DEB_TRACE_LEAKS,"SpDeleteContext returned 0x%x, Context 0x%x, Pid 0x%x\n",KerbMapKerbNtStatusToNtStatus(Status), Context, ClientProcess));
|
|
D_DebugLog((DEB_TRACE_API, "SpDeleteContext returned 0x%x\n", KerbMapKerbNtStatusToNtStatus(Status)));
|
|
return(KerbMapKerbNtStatusToNtStatus(Status));
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbProcessTargetNames
|
|
//
|
|
// Synopsis: Takes the target names from both the negotiate hint and
|
|
// supplied by the caller and creates the real Kerberos target
|
|
// name.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: TargetName - supplies the name passed in the TargetName
|
|
// parameter of InitializeSecurityContext.
|
|
// SuppTargetName - If present, an alternate name passed in
|
|
// a security token.
|
|
// Flags - flags to use when cracking a name. May be:
|
|
// KERB_CRACK_NAME_USE_WKSTA_REALM - if no realm can be
|
|
// determined, use the realm of the wksta
|
|
// KERB_CRACK_NAME_REALM_SUPPLIED - the caller has the
|
|
// realm name, so treat "@" in the name as a normal
|
|
// character, not a spacer.
|
|
// UseSpnRealmSupplied - If the target name was an spn and it
|
|
// contained a realm, it's set to TRUE
|
|
// FinalTarget - The processed name. Must be freed with KerbFreeKdcName.
|
|
// TargetRealm - If the name contains a realm portions, this is
|
|
// the realm. Should be freed using KerbFreeString.
|
|
//
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes: If the name has an "@" in it, it is converted into a standard
|
|
// Kerberos V5 name - everything after the "@" is put in the
|
|
// realm field, and everything before the @ is separted at the
|
|
// "/" characters into different pieces of the name. Depending
|
|
// on the number of pieces, it is passed as a KRB_NT_PRINCIPAL (1)
|
|
// or KRB_NT_SRV_INSTANCE (2), or KRB_NT_SRV_XHST (3+)
|
|
//
|
|
// If the name has an "\" in it, it is assumed to be an NT4
|
|
// name & put as is into a KRB_NT_MS_PRINCIPAL_NAME name
|
|
//
|
|
// If the name has neither a "\" or a "@" or a "/", it is
|
|
// assumed to be a simple name & passed as KRB_NT_PRINCIPAL
|
|
// in the caller's domain.
|
|
//
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
#ifdef later
|
|
#define KERB_LOCALHOST_NAME L"localhost"
|
|
#endif
|
|
|
|
NTSTATUS
|
|
KerbProcessTargetNames(
|
|
IN PUNICODE_STRING TargetName,
|
|
IN OPTIONAL PUNICODE_STRING SuppTargetName,
|
|
IN ULONG Flags,
|
|
IN OUT PULONG ProcessFlags,
|
|
OUT PKERB_INTERNAL_NAME * FinalTarget,
|
|
OUT PUNICODE_STRING TargetRealm,
|
|
OUT OPTIONAL PKERB_SPN_CACHE_ENTRY * SpnCacheEntry
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
SHORT NameType = 0;
|
|
PKERB_INTERNAL_NAME OutputName = NULL;
|
|
USHORT NameParts = 0, ExtraNameParts = 0;
|
|
ULONG NameLength = 0;
|
|
USHORT Index, NameIndex;
|
|
PUNICODE_STRING RealTargetName;
|
|
UNICODE_STRING CacheTargetRealm = {0};
|
|
UNICODE_STRING SuppliedRealm = {0};
|
|
UNICODE_STRING FirstNamePart = {0};
|
|
PKERB_SPN_CACHE_ENTRY LocalCacheEntry = NULL;
|
|
#ifdef later
|
|
UNICODE_STRING LocalhostName = {0};
|
|
BOOLEAN ReplaceLocalhost = FALSE;
|
|
#endif
|
|
BOOLEAN DoneParsing = FALSE;
|
|
PKERB_MIT_REALM MitRealm;
|
|
BOOLEAN UsedAlternateName;
|
|
PUCHAR Where;
|
|
|
|
*ProcessFlags = 0;
|
|
|
|
//
|
|
// If a supplemental target name was supplied, use it as it is more likely
|
|
// to be correct.
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT(SuppTargetName) && (SuppTargetName->Length > 0))
|
|
{
|
|
RealTargetName = SuppTargetName;
|
|
}
|
|
else
|
|
{
|
|
RealTargetName = TargetName;
|
|
}
|
|
|
|
//
|
|
// If this is an IP address, we don't handle it so bail now.
|
|
//
|
|
|
|
if (KerbIsIpAddress(RealTargetName))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Ip address passed as target name: %wZ. Failing InitSecCtxt\n",
|
|
RealTargetName ));
|
|
Status = SEC_E_TARGET_UNKNOWN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
#ifdef later
|
|
RtlInitUnicodeString(
|
|
&LocalhostName,
|
|
KERB_LOCALHOST_NAME
|
|
);
|
|
#endif
|
|
|
|
|
|
//
|
|
// Initialize the first part of the name to the whole string
|
|
//
|
|
|
|
FirstNamePart.Buffer = RealTargetName->Buffer;
|
|
FirstNamePart.Length = RealTargetName->Length;
|
|
FirstNamePart.MaximumLength = FirstNamePart.Length;
|
|
|
|
//
|
|
// Check the characters in the name. Search backwards to front because
|
|
// username may have "@" signs in them.
|
|
//
|
|
|
|
for ( Index = (RealTargetName->Length / sizeof(WCHAR)); Index-- > 0; )
|
|
{
|
|
switch(RealTargetName->Buffer[Index])
|
|
{
|
|
case L'@':
|
|
|
|
//
|
|
// If we have a realm name already, ignore this character.
|
|
//
|
|
|
|
if ((Flags & KERB_CRACK_NAME_REALM_SUPPLIED) != 0)
|
|
{
|
|
break;
|
|
}
|
|
|
|
//
|
|
// If we haven't hit any other separators, this is user@domain kind
|
|
// of name
|
|
//
|
|
|
|
|
|
if (NameType == 0)
|
|
{
|
|
NameType = KRB_NT_PRINCIPAL;
|
|
NameParts++;
|
|
|
|
SuppliedRealm.Buffer = &RealTargetName->Buffer[Index] + 1;
|
|
SuppliedRealm.Length = RealTargetName->Length - (Index + 1) * sizeof(WCHAR);
|
|
SuppliedRealm.MaximumLength = SuppliedRealm.Length;
|
|
|
|
if (SuppliedRealm.Length == 0)
|
|
{
|
|
Status = SEC_E_TARGET_UNKNOWN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
FirstNamePart.Buffer = RealTargetName->Buffer;
|
|
FirstNamePart.Length = Index * sizeof(WCHAR);
|
|
FirstNamePart.MaximumLength = FirstNamePart.Length;
|
|
}
|
|
// else
|
|
// {
|
|
// Status = SEC_E_TARGET_UNKNOWN;
|
|
// goto Cleanup;
|
|
// }
|
|
|
|
break;
|
|
|
|
case L'/':
|
|
|
|
//
|
|
// All names that have a '/' separator are KRB_NT_SRV_INST
|
|
// If we saw an @before this, we need to do something special.
|
|
//
|
|
|
|
NameType = KRB_NT_SRV_INST;
|
|
NameParts ++;
|
|
break;
|
|
|
|
|
|
case L'\\':
|
|
|
|
//
|
|
// If we have a realm name already, ignore this character.
|
|
//
|
|
|
|
if ((Flags & KERB_CRACK_NAME_REALM_SUPPLIED) != 0)
|
|
{
|
|
break;
|
|
}
|
|
|
|
//
|
|
// If we hit a backslash, this is an NT4 style name, so treat it
|
|
// as such.
|
|
// Just for error checking purposes, make sure that the current
|
|
// name type was 0
|
|
//
|
|
|
|
if (NameType != 0)
|
|
{
|
|
Status = SEC_E_TARGET_UNKNOWN;
|
|
goto Cleanup;
|
|
}
|
|
NameType = KRB_NT_MS_PRINCIPAL;
|
|
NameParts = 1;
|
|
SuppliedRealm.Buffer = RealTargetName->Buffer;
|
|
SuppliedRealm.Length = Index * sizeof(WCHAR);
|
|
SuppliedRealm.MaximumLength = SuppliedRealm.Length;
|
|
|
|
FirstNamePart.Buffer = &RealTargetName->Buffer[Index] + 1;
|
|
FirstNamePart.Length = RealTargetName->Length - (Index + 1) * sizeof(WCHAR);
|
|
FirstNamePart.MaximumLength = FirstNamePart.Length;
|
|
|
|
if (SuppliedRealm.Length == 0 || FirstNamePart.Length == 0)
|
|
{
|
|
Status = SEC_E_TARGET_UNKNOWN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
DoneParsing = TRUE;
|
|
|
|
break;
|
|
|
|
default:
|
|
break;
|
|
|
|
}
|
|
if (DoneParsing)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// If we didn't exit early, then we were sent a name with no "@" sign.
|
|
// If there were no separators, then it is a flat principal name
|
|
//
|
|
|
|
if (!DoneParsing && (NameType == 0))
|
|
{
|
|
if (NameParts == 0)
|
|
{
|
|
//
|
|
// The name has no separators, so it is a flat principal name
|
|
//
|
|
|
|
NameType = KRB_NT_PRINCIPAL;
|
|
NameParts = 1;
|
|
}
|
|
}
|
|
|
|
//
|
|
// For KRB_NT_SRV_INST, get the name parts correct and tell the caller
|
|
// that a realm was supplied in the spn
|
|
//
|
|
|
|
if (NameType == KRB_NT_SRV_INST)
|
|
{
|
|
if (SuppliedRealm.Length == 0)
|
|
{
|
|
// We have an spn of the form a/b..../n and the name parts needs
|
|
// to be upped by one
|
|
// If we had an spn of the form a/b@c, then the name
|
|
// parts would be right.
|
|
|
|
NameParts++;
|
|
}
|
|
else
|
|
{
|
|
// We need to filter this back to the caller so that the
|
|
// name canonicalization bit is not set.
|
|
|
|
*ProcessFlags |= KERB_GET_TICKET_NO_CANONICALIZE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Check for an MIT realm with the supplied realm - if the name type is
|
|
// KRB_NT_PRINCIPAL, send it as a UPN unless we can find an MIT realm.
|
|
// If we are not a member of a domain, then we can't default so use
|
|
// the domain name supplied. Also, if we are using supplied credentials
|
|
// we don't want to use the wksta realm.
|
|
|
|
if ( (NameType == KRB_NT_PRINCIPAL)
|
|
&& (KerbGetGlobalRole() != KerbRoleRealmlessWksta) // not realmless
|
|
&& ((Flags & KERB_CRACK_NAME_USE_WKSTA_REALM) != 0) )
|
|
{
|
|
BOOLEAN Result;
|
|
Result = KerbLookupMitRealm(
|
|
&SuppliedRealm,
|
|
&MitRealm,
|
|
&UsedAlternateName
|
|
);
|
|
//
|
|
// If we didn't find a realm, use this as a UPN
|
|
//
|
|
|
|
if (!Result)
|
|
{
|
|
//
|
|
// If the caller supplied the realm separately, then don't
|
|
// send it as a UPN.
|
|
//
|
|
|
|
if ((Flags & KERB_CRACK_NAME_REALM_SUPPLIED) == 0)
|
|
{
|
|
//
|
|
// send it as UPN
|
|
|
|
NameType = KRB_NT_ENTERPRISE_PRINCIPAL;
|
|
NameParts = 1;
|
|
FirstNamePart = *RealTargetName;
|
|
RtlInitUnicodeString(
|
|
&SuppliedRealm,
|
|
NULL
|
|
);
|
|
}
|
|
}
|
|
//
|
|
// For logon, its interesting to know if we're doing an MIT realm lookup
|
|
//
|
|
else
|
|
{
|
|
D_DebugLog((DEB_TRACE, "Using MIT realm in Process TargetName\n"));
|
|
*ProcessFlags |= KERB_MIT_REALM_USED;
|
|
}
|
|
}
|
|
|
|
NameLength = FirstNamePart.Length + NameParts * sizeof(WCHAR);
|
|
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT,
|
|
"Parsed name %wZ (%wZ) into:\n\t name type 0x%x, name count %d, \n\t realm %wZ, \n\t first part %wZ\n",
|
|
TargetName,
|
|
SuppTargetName,
|
|
NameType,
|
|
NameParts,
|
|
&SuppliedRealm,
|
|
&FirstNamePart
|
|
));
|
|
|
|
#ifdef later
|
|
//
|
|
// If the name end in "localhost", replace it with our dns machine
|
|
// name.
|
|
//
|
|
|
|
if ((NameType == KRB_NT_SRV_INST) &&
|
|
(NameParts == 2) &&
|
|
(RealTargetName->Length > LocalhostName.Length) &&
|
|
RtlEqualMemory(
|
|
RealTargetName->Buffer + (RealTargetName->Length - LocalhostName.Length ) / sizeof(WCHAR),
|
|
LocalhostName.Buffer,
|
|
LocalhostName.Length
|
|
))
|
|
|
|
{
|
|
NameLength -= LocalhostName.Length;
|
|
KerbGlobalReadLock();
|
|
NameLength += KerbGlobalMitMachineServiceName->Names[1].Length;
|
|
|
|
//
|
|
// Set the flag to indicate we need to replace the name, and that
|
|
// the global lock is held.
|
|
//
|
|
|
|
ReplaceLocalhost = TRUE;
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Create the output names
|
|
//
|
|
|
|
OutputName = (PKERB_INTERNAL_NAME) KerbAllocate(KERB_INTERNAL_NAME_SIZE(NameParts + ExtraNameParts) + NameLength);
|
|
if (OutputName == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
OutputName->NameCount = NameParts + ExtraNameParts;
|
|
OutputName->NameType = NameType;
|
|
|
|
Where = (PUCHAR) OutputName + KERB_INTERNAL_NAME_SIZE(NameParts+ExtraNameParts);
|
|
NameIndex = 0;
|
|
|
|
//
|
|
// If there is only one part of the name, handle that first
|
|
//
|
|
|
|
if (NameParts == 1)
|
|
{
|
|
OutputName->Names[0].Length = FirstNamePart.Length;
|
|
OutputName->Names[0].MaximumLength = FirstNamePart.Length + sizeof(WCHAR);
|
|
OutputName->Names[0].Buffer = (LPWSTR) Where;
|
|
RtlCopyMemory(
|
|
Where,
|
|
FirstNamePart.Buffer,
|
|
FirstNamePart.Length
|
|
);
|
|
OutputName->Names[0].Buffer[FirstNamePart.Length / sizeof(WCHAR)] = L'\0';
|
|
Where += FirstNamePart.Length + sizeof(WCHAR);
|
|
NameIndex = 1;
|
|
|
|
}
|
|
else
|
|
{
|
|
UNICODE_STRING TempName;
|
|
|
|
//
|
|
// Build up the name, piece by piece
|
|
//
|
|
|
|
DoneParsing = FALSE;
|
|
NameIndex = 0;
|
|
TempName.Buffer = FirstNamePart.Buffer;
|
|
|
|
for ( Index = 0; Index <= FirstNamePart.Length / sizeof(WCHAR) ; Index++ )
|
|
{
|
|
//
|
|
// If we hit the end or a separator, build a name part
|
|
//
|
|
|
|
if ((Index == FirstNamePart.Length / sizeof(WCHAR)) ||
|
|
(FirstNamePart.Buffer[Index] == L'/') )
|
|
{
|
|
#ifdef later
|
|
if ((NameIndex == 1) && (ReplaceLocalhost))
|
|
{
|
|
OutputName->Names[NameIndex].Length = KerbGlobalMitMachineServiceName->Names[1].Length;
|
|
OutputName->Names[NameIndex].MaximumLength = OutputName->Names[NameIndex].Length + sizeof(WCHAR);
|
|
OutputName->Names[NameIndex].Buffer = (LPWSTR) Where;
|
|
|
|
RtlCopyMemory(
|
|
Where,
|
|
KerbGlobalMitMachineServiceName->Names[1].Buffer,
|
|
OutputName->Names[NameIndex].Length
|
|
);
|
|
//
|
|
// Release the lock now
|
|
//
|
|
|
|
KerbGlobalReleaseLock();
|
|
ReplaceLocalhost = FALSE;
|
|
}
|
|
else
|
|
#endif
|
|
{
|
|
OutputName->Names[NameIndex].Length = (USHORT) (&FirstNamePart.Buffer[Index] - TempName.Buffer) * sizeof(WCHAR);
|
|
OutputName->Names[NameIndex].MaximumLength = OutputName->Names[NameIndex].Length + sizeof(WCHAR);
|
|
OutputName->Names[NameIndex].Buffer = (LPWSTR) Where;
|
|
|
|
RtlCopyMemory(
|
|
Where,
|
|
TempName.Buffer,
|
|
OutputName->Names[NameIndex].Length
|
|
);
|
|
}
|
|
Where += OutputName->Names[NameIndex].Length;
|
|
*(LPWSTR)Where = L'\0';
|
|
Where += sizeof(WCHAR);
|
|
|
|
|
|
NameIndex++;
|
|
TempName.Buffer = &FirstNamePart.Buffer[Index+1];
|
|
}
|
|
}
|
|
|
|
DsysAssert(NameParts == NameIndex);
|
|
}
|
|
|
|
//
|
|
// Now that we've built the output name, check SPN Cache.
|
|
//
|
|
|
|
if ( ARGUMENT_PRESENT(SpnCacheEntry) &&
|
|
NameType == KRB_NT_SRV_INST &&
|
|
SuppliedRealm.Length == 0 )
|
|
|
|
{
|
|
|
|
LocalCacheEntry = KerbLocateSpnCacheEntry(OutputName);
|
|
|
|
if (NULL != LocalCacheEntry)
|
|
{
|
|
DebugLog((DEB_TRACE_SPN_CACHE, "Found in SPN Cache %p ", LocalCacheEntry));
|
|
D_KerbPrintKdcName((DEB_TRACE_SPN_CACHE, LocalCacheEntry->Spn));
|
|
|
|
*SpnCacheEntry = LocalCacheEntry;
|
|
LocalCacheEntry = NULL;
|
|
|
|
*ProcessFlags |= KERB_TARGET_USED_SPN_CACHE;
|
|
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// This is used for HostToRealm mappings.
|
|
//
|
|
KerbSpnSubstringMatch(
|
|
OutputName,
|
|
&CacheTargetRealm
|
|
);
|
|
}
|
|
|
|
}
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT,"Cracked name %wZ into: ", RealTargetName));
|
|
D_KerbPrintKdcName((DEB_TRACE_CTXT,OutputName));
|
|
|
|
//
|
|
// Only use SPN cache w/o supplied credentials - we don't even talk
|
|
// to the cache if the SuppliedRealm is present.
|
|
//
|
|
if (CacheTargetRealm.Buffer != NULL)
|
|
{
|
|
Status = KerbDuplicateString(
|
|
TargetRealm,
|
|
&CacheTargetRealm
|
|
);
|
|
|
|
}
|
|
else if (((Flags & KERB_CRACK_NAME_USE_WKSTA_REALM) == 0) || SuppliedRealm.Length > 0)
|
|
{
|
|
Status = KerbDuplicateString(
|
|
TargetRealm,
|
|
&SuppliedRealm
|
|
);
|
|
}
|
|
else
|
|
{
|
|
if ((Flags & KERB_CRACK_NAME_USE_WKSTA_REALM) == 0)
|
|
{
|
|
DsysAssert(FALSE); // hey, this shouldn't ever be hit...
|
|
RtlInitUnicodeString(
|
|
TargetRealm,
|
|
NULL
|
|
);
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// There was no realm name provided, so use the wksta domain
|
|
//
|
|
Status = KerbGetOurDomainName(
|
|
TargetRealm
|
|
);
|
|
}
|
|
|
|
}
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
*FinalTarget = OutputName;
|
|
OutputName = NULL;
|
|
|
|
Cleanup:
|
|
|
|
#ifdef later
|
|
if (ReplaceLocalhost)
|
|
{
|
|
KerbGlobalReleaseLock();
|
|
}
|
|
#endif
|
|
|
|
if ( LocalCacheEntry )
|
|
{
|
|
KerbDereferenceSpnCacheEntry( LocalCacheEntry );
|
|
}
|
|
|
|
KerbFreeString( &CacheTargetRealm );
|
|
|
|
if (OutputName != NULL)
|
|
{
|
|
KerbFree(OutputName);
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbValidateChannelBindings
|
|
//
|
|
// Synopsis: Validates the channel bindings copied from the client.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: pBuffer -- Input buffer that contains channel bindings
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbValidateChannelBindings(
|
|
IN PVOID pBuffer,
|
|
IN ULONG ulBufferLength
|
|
)
|
|
{
|
|
PSEC_CHANNEL_BINDINGS pClientBindings = (PSEC_CHANNEL_BINDINGS) pBuffer;
|
|
DWORD dwBindingLength;
|
|
DWORD dwInitiatorEnd;
|
|
DWORD dwAcceptorEnd;
|
|
DWORD dwApplicationEnd;
|
|
|
|
//
|
|
// If channel bindings were specified, they had better be there
|
|
//
|
|
|
|
if (pBuffer == NULL || ulBufferLength < sizeof(SEC_CHANNEL_BINDINGS))
|
|
{
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
//
|
|
// Make sure we got one contiguous buffer
|
|
//
|
|
|
|
dwBindingLength = sizeof(SEC_CHANNEL_BINDINGS)
|
|
+ pClientBindings->cbInitiatorLength
|
|
+ pClientBindings->cbAcceptorLength
|
|
+ pClientBindings->cbApplicationDataLength;
|
|
|
|
//
|
|
// Make sure the lengths are valid and check for overflow
|
|
//
|
|
|
|
if (dwBindingLength > ulBufferLength)
|
|
{
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
dwInitiatorEnd = pClientBindings->dwInitiatorOffset + pClientBindings->cbInitiatorLength;
|
|
dwAcceptorEnd = pClientBindings->dwAcceptorOffset + pClientBindings->cbAcceptorLength;
|
|
dwApplicationEnd = pClientBindings->dwApplicationDataOffset + pClientBindings->cbApplicationDataLength;
|
|
|
|
if ((dwInitiatorEnd > dwBindingLength || dwInitiatorEnd < pClientBindings->dwInitiatorOffset)
|
|
||
|
|
(dwAcceptorEnd > dwBindingLength || dwAcceptorEnd < pClientBindings->dwAcceptorOffset)
|
|
||
|
|
(dwApplicationEnd > dwBindingLength || dwApplicationEnd < pClientBindings->dwApplicationDataOffset))
|
|
{
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpInitLsaModeContext
|
|
//
|
|
// Synopsis: Kerberos implementation of InitializeSecurityContext. This
|
|
// routine handles the client side of authentication by
|
|
// acquiring a ticket to the specified target. If a context
|
|
// handle is passed in, then the input buffer is used to
|
|
// verify the authenticity of the server.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS NTAPI
|
|
SpInitLsaModeContext(
|
|
IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
|
|
IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
|
|
IN OPTIONAL PUNICODE_STRING TargetName,
|
|
IN ULONG ContextRequirements,
|
|
IN ULONG TargetDataRep,
|
|
IN PSecBufferDesc InputBuffers,
|
|
OUT PLSA_SEC_HANDLE NewContextHandle,
|
|
IN OUT PSecBufferDesc OutputBuffers,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PTimeStamp ExpirationTime,
|
|
OUT PBOOLEAN MappedContext,
|
|
OUT PSecBuffer ContextData
|
|
)
|
|
{
|
|
PKERB_LOGON_SESSION LogonSession = NULL;
|
|
PKERB_LOGON_SESSION CallerLogonSession = NULL;
|
|
PKERB_CREDENTIAL Credential = NULL;
|
|
PKERB_TICKET_CACHE_ENTRY TicketCacheEntry = NULL;
|
|
ULONG TicketOptions = 0;
|
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
LUID LogonId;
|
|
PUCHAR Request = NULL;
|
|
ULONG RequestSize = 0;
|
|
PUCHAR Reply = NULL;
|
|
ULONG ReplySize;
|
|
PSecBuffer OutputToken = NULL;
|
|
PSecBuffer InputToken = NULL;
|
|
UNICODE_STRING LocalTargetName;
|
|
UNICODE_STRING TargetDomainName;
|
|
PKERB_INTERNAL_NAME TargetInternalName = NULL;
|
|
ULONG Index;
|
|
PKERB_CONTEXT Context = NULL;
|
|
ULONG Nonce = 0;
|
|
ULONG ProcessFlags = 0;
|
|
ULONG ReceiveNonce = 0;
|
|
ULONG ContextFlags = 0;
|
|
ULONG ContextAttribs = 0;
|
|
ULONG LogonSessionFlags = 0;
|
|
TimeStamp ContextLifetime;
|
|
TimeStamp AuthenticatorTime = {0};
|
|
BOOLEAN DoThirdLeg = FALSE;
|
|
BOOLEAN GetAuthTicket = FALSE;
|
|
BOOLEAN UseNullSession = FALSE;
|
|
BOOLEAN GetServerTgt = FALSE;
|
|
PKERB_ERROR ErrorMessage = NULL;
|
|
PKERB_ERROR_METHOD_DATA ErrorData = NULL;
|
|
PKERB_EXT_ERROR pExtendedError = NULL;
|
|
PKERB_TGT_REPLY TgtReply = NULL;
|
|
PKERB_SPN_CACHE_ENTRY SpnCacheEntry = NULL;
|
|
ULONG ContextRetries = 0;
|
|
KERB_CONTEXT_STATE ContextState = InvalidState;
|
|
KERB_ENCRYPTION_KEY SubSessionKey = {0};
|
|
BOOLEAN ClientAskedForDelegate = FALSE, ClientAskedForDelegateIfSafe = FALSE;
|
|
ULONG ClientProcess = 0;
|
|
PKERB_CREDMAN_CRED CredManCredentials = NULL;
|
|
NTSTATUS InitialStatus = STATUS_SUCCESS;
|
|
PSEC_CHANNEL_BINDINGS pChannelBindings = NULL;
|
|
PKERB_TICKET_CACHE_ENTRY EvidenceTicket = NULL;
|
|
PBYTE pbMarshalledTargetInfo = NULL;
|
|
ULONG cbMarshalledTargetInfo = 0;
|
|
|
|
KERB_INITSC_INFO InitSCTraceInfo;
|
|
InitSCTraceInfo.EventTrace.Size = 0;
|
|
LUID LocalSystemLuid = SYSTEM_LUID;
|
|
|
|
D_DebugLog((DEB_TRACE_API, "SpInitLsaModeContext 0x%x called\n", ContextHandle));
|
|
|
|
if( KerbEventTraceFlag ) // Event Trace: KerbInitSecurityContextStart {No Data}
|
|
{
|
|
InitSCTraceInfo.EventTrace.Guid = KerbInitSCGuid;
|
|
InitSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_START;
|
|
InitSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID;
|
|
InitSCTraceInfo.EventTrace.Size = sizeof (EVENT_TRACE_HEADER);
|
|
|
|
TraceEvent(
|
|
KerbTraceLoggerHandle,
|
|
(PEVENT_TRACE_HEADER)&InitSCTraceInfo
|
|
);
|
|
}
|
|
|
|
//
|
|
// Initialize the outputs.
|
|
//
|
|
|
|
*ContextAttributes = 0;
|
|
*NewContextHandle = 0;
|
|
*ExpirationTime = KerbGlobalHasNeverTime;
|
|
*MappedContext = FALSE;
|
|
ContextData->pvBuffer = NULL;
|
|
ContextData->cbBuffer = 0;
|
|
LocalTargetName.Buffer = NULL;
|
|
LocalTargetName.Length = 0;
|
|
TargetDomainName.Buffer = NULL;
|
|
TargetDomainName.Length = 0;
|
|
|
|
if (!KerbGlobalInitialized)
|
|
{
|
|
Status = STATUS_INVALID_SERVER_STATE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Make sure we have at least one ip address
|
|
//
|
|
|
|
KerbGlobalReadLock();
|
|
if (KerbGlobalNoTcpUdp)
|
|
{
|
|
Status = STATUS_NETWORK_UNREACHABLE;
|
|
}
|
|
KerbGlobalReleaseLock();
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Delegate will mean delegate_if_safe for this
|
|
// release (NT5)
|
|
//
|
|
|
|
if ( ContextRequirements & ISC_REQ_DELEGATE )
|
|
{
|
|
ClientAskedForDelegate = TRUE;
|
|
ContextRequirements |= ISC_REQ_DELEGATE_IF_SAFE ;
|
|
ContextRequirements &= ~(ISC_REQ_DELEGATE) ;
|
|
}
|
|
else if ( ContextRequirements & ISC_REQ_DELEGATE_IF_SAFE )
|
|
{
|
|
ClientAskedForDelegateIfSafe = TRUE;
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Process the input tokens
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// First locate the output token.
|
|
//
|
|
|
|
for (Index = 0; Index < OutputBuffers->cBuffers ; Index++ )
|
|
{
|
|
if (BUFFERTYPE(OutputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN)
|
|
{
|
|
OutputToken = &OutputBuffers->pBuffers[Index];
|
|
Status = LsaFunctions->MapBuffer(OutputToken,OutputToken);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "Failed to map output token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now locate the Input token.
|
|
//
|
|
|
|
for (Index = 0; Index < InputBuffers->cBuffers ; Index++ )
|
|
{
|
|
if (BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN)
|
|
{
|
|
InputToken = &InputBuffers->pBuffers[Index];
|
|
Status = LsaFunctions->MapBuffer(InputToken,InputToken);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "Failed to map Input token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check to see if we were passed an additional name
|
|
//
|
|
|
|
for (Index = 0; Index < InputBuffers->cBuffers ; Index++ )
|
|
{
|
|
if (BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_NEGOTIATION_INFO)
|
|
{
|
|
Status = LsaFunctions->MapBuffer(
|
|
&InputBuffers->pBuffers[Index],
|
|
&InputBuffers->pBuffers[Index]
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog( (DEB_ERROR, "Failed to map incoming SECBUFFER_NEGOTIATION_INFO. %x, %ws, %d", Status, THIS_FILE, __LINE__) );
|
|
goto Cleanup;
|
|
}
|
|
LocalTargetName.Buffer = (LPWSTR) InputBuffers->pBuffers[Index].pvBuffer;
|
|
|
|
//
|
|
// We can only stick 64k in a the length field, so make sure the
|
|
// buffer is not too big.
|
|
//
|
|
|
|
if (InputBuffers->pBuffers[Index].cbBuffer > 0xffff)
|
|
{
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
LocalTargetName.Length =
|
|
LocalTargetName.MaximumLength = (USHORT) InputBuffers->pBuffers[Index].cbBuffer;
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Process the target names
|
|
//
|
|
|
|
Status = KerbProcessTargetNames(
|
|
TargetName,
|
|
&LocalTargetName,
|
|
0, // No flags
|
|
&ProcessFlags,
|
|
&TargetInternalName,
|
|
&TargetDomainName,
|
|
&SpnCacheEntry
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check to see if we were passed channel bindings
|
|
//
|
|
|
|
for( Index = 0; Index < InputBuffers->cBuffers; Index++ )
|
|
{
|
|
if( BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_CHANNEL_BINDINGS )
|
|
{
|
|
Status = LsaFunctions->MapBuffer(
|
|
&InputBuffers->pBuffers[Index],
|
|
&InputBuffers->pBuffers[Index]
|
|
);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failed to map incoming SECBUFFER_CHANNEL_BINDINGS. %x, %ws, %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
pChannelBindings = (PSEC_CHANNEL_BINDINGS) InputBuffers->pBuffers[Index].pvBuffer;
|
|
|
|
Status = KerbValidateChannelBindings(pChannelBindings,
|
|
InputBuffers->pBuffers[Index].cbBuffer);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
pChannelBindings = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// If the caller passed in a context handle, deal with updating an
|
|
// existing context.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// If the input context handle is no NULL then we are actually
|
|
// finalizing an already-existing context. So be it.
|
|
//
|
|
|
|
//
|
|
// Use "while" so we can break out.
|
|
//
|
|
|
|
while (ContextHandle != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "SpInitLsaModeContext: Second call to Initialize\n"));
|
|
if (InputToken == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR, "SpInitLsaModeContext trying to complete a context with no input token! %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// First reference the context.
|
|
//
|
|
|
|
Status = KerbReferenceContext(
|
|
ContextHandle,
|
|
FALSE, // don't unlink
|
|
&Context
|
|
);
|
|
if (Context == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to reference context 0x%x. %ws, line %d\n",ContextHandle, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check the mode of the context to make sure we can finalize it.
|
|
//
|
|
|
|
KerbReadLockContexts();
|
|
|
|
ContextState = Context->ContextState;
|
|
if ((ContextState != ApRequestSentState) &&
|
|
(ContextState != TgtRequestSentState))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "Invalid context state: %d. %ws, line %d\n",
|
|
Context->ContextState, THIS_FILE, __LINE__));
|
|
Status = STATUS_INVALID_HANDLE;
|
|
KerbUnlockContexts();
|
|
goto Cleanup;
|
|
}
|
|
ContextRetries = Context->Retries;
|
|
ContextFlags = Context->ContextFlags;
|
|
ContextAttribs = Context->ContextAttributes;
|
|
Nonce = Context->Nonce;
|
|
CredentialHandle = Context->CredentialHandle;
|
|
ClientProcess = Context->ClientProcess;
|
|
KerbUnlockContexts();
|
|
|
|
//
|
|
// If we are not doing datagram, unpack the AP or TGT reply.
|
|
//
|
|
|
|
if ((ContextFlags & ISC_RET_DATAGRAM) == 0)
|
|
{
|
|
////////////////////////////////////////////////////
|
|
//
|
|
// Handle a TGT reply - get out the TGT & the name of
|
|
// the server
|
|
//
|
|
////////////////////////////////////////////////////
|
|
|
|
if (ContextState == TgtRequestSentState)
|
|
{
|
|
D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext calling KerbUnpackTgtReply\n"));
|
|
|
|
KerbWriteLockContexts();
|
|
if (!(Context->ContextAttributes & KERB_CONTEXT_USER_TO_USER))
|
|
{
|
|
Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
|
|
DebugLog((DEB_WARN, "SpInitLsaModeContext * use_sesion_key but USER2USER-OUTBOUND not set, added it now\n"));
|
|
}
|
|
KerbUnlockContexts();
|
|
|
|
Status = KerbUnpackTgtReply(
|
|
Context,
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
&TargetInternalName,
|
|
&TargetDomainName,
|
|
&TgtReply
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "SpInitLsaModeContext failed to unpack TGT reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
|
|
//
|
|
// Check for an error message
|
|
//
|
|
|
|
Status = KerbReceiveErrorMessage(
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
Context,
|
|
&ErrorMessage,
|
|
&ErrorData
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReportKerbError(
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
KLIN(FILENO,__LINE__),
|
|
ErrorMessage,
|
|
((NULL != ErrorMessage) ? ErrorMessage->error_code : KRB_ERR_GENERIC),
|
|
pExtendedError,
|
|
FALSE
|
|
);
|
|
|
|
//
|
|
// Ahh. We have an error message. See if it is an
|
|
// error we can handle, and if so, Now we need to
|
|
// try to build a better AP request. Or, if we have
|
|
// already retried once, fail.
|
|
//
|
|
|
|
DebugLog((DEB_WARN, "SpInitLsaModeContext received KERB_ERROR message with error 0x%x, can't handle\n",
|
|
ErrorMessage->error_code ));
|
|
|
|
if ((ErrorMessage->error_code == KRB_ERR_GENERIC)
|
|
&& (ErrorData != NULL)
|
|
&& (ErrorData->bit_mask & data_value_present)
|
|
&& (ErrorData->data_type == KERB_AP_ERR_TYPE_NTSTATUS)
|
|
&& (ErrorData->data_value.length == sizeof(ULONG)))
|
|
{
|
|
Status = *((PULONG)ErrorData->data_value.value);
|
|
}
|
|
else
|
|
{
|
|
Status = KerbMapKerbError((KERBERR) ErrorMessage->error_code);
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = STATUS_INTERNAL_ERROR;
|
|
}
|
|
}
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Break out so we generate a normal request now
|
|
//
|
|
|
|
break;
|
|
}
|
|
else // not user-to-user
|
|
{
|
|
|
|
////////////////////////////////////////////////////
|
|
//
|
|
// This is the response to an AP request. It could be
|
|
// an AP reply or an error. Handle both cases
|
|
//
|
|
////////////////////////////////////////////////////
|
|
|
|
//
|
|
// Now unpack the AP reply
|
|
//
|
|
|
|
Status = KerbVerifyApReply(
|
|
Context,
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
&ReceiveNonce
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Check for an error message
|
|
//
|
|
|
|
Status = KerbReceiveErrorMessage(
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
Context,
|
|
&ErrorMessage,
|
|
&ErrorData
|
|
);
|
|
DebugLog((DEB_TRACE, "SpInitLsaModeContext non datagram called KerbReceiveErrorMessage %#x\n", Status));
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReportKerbError(
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
KLIN(FILENO, __LINE__),
|
|
ErrorMessage,
|
|
((NULL != ErrorMessage) ? ErrorMessage->error_code : KRB_ERR_GENERIC),
|
|
pExtendedError,
|
|
FALSE
|
|
);
|
|
|
|
DebugLog((DEB_WARN, "SpInitLsaModeContext failed to verify AP reply: 0x%x\n", ErrorMessage->error_code));
|
|
|
|
//
|
|
// Ahh. We have an error message. See if it is an
|
|
// error we can handle, and if so, Now we need to
|
|
// try to build a better AP request. Or, if we have
|
|
// already retried once, fail. We can't get a new ticket
|
|
// with user-to-user.
|
|
//
|
|
if ((ContextRetries != 0) ||
|
|
(((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_SKEW) &&
|
|
((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_TKT_NYV) &&
|
|
((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_USER_TO_USER_REQUIRED) &&
|
|
((KERBERR) ErrorMessage->error_code != KRB_AP_ERR_MODIFIED)) ||
|
|
(((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_MODIFIED) &&
|
|
((ContextAttribs & KERB_CONTEXT_USER_TO_USER) != 0)))
|
|
{
|
|
if ((ErrorMessage->error_code == KRB_ERR_GENERIC) &&
|
|
(ErrorData != NULL) && (ErrorData->data_type == KERB_AP_ERR_TYPE_NTSTATUS) &&
|
|
((ErrorData->bit_mask & data_value_present) != 0) &&
|
|
(ErrorData->data_value.value != NULL) &&
|
|
(ErrorData->data_value.length == sizeof(ULONG)))
|
|
{
|
|
Status = *((PULONG)ErrorMessage->error_data.value);
|
|
|
|
if (NT_SUCCESS(Status)) // must fail here
|
|
{
|
|
Status = STATUS_INTERNAL_ERROR;
|
|
}
|
|
|
|
DebugLog((DEB_ERROR, "InitSecContext Received KERB_ERROR message with Status %#x, %ws, line %d\n",
|
|
Status, THIS_FILE, __LINE__));
|
|
}
|
|
|
|
if (ErrorMessage->error_code == KRB_AP_ERR_MODIFIED)
|
|
{
|
|
//
|
|
// If the server couldn't decrypt the ticket,
|
|
// then the target name is wrong for the server.
|
|
//
|
|
DebugLog((DEB_ERROR, "App modified error (NO CONTINUE, bail)\n"));
|
|
KerbReportApError(ErrorMessage, TargetName);
|
|
Status = SEC_E_WRONG_PRINCIPAL;
|
|
}
|
|
else if (ErrorMessage->error_code == KRB_AP_ERR_TKT_NYV)
|
|
{
|
|
DebugLog((DEB_ERROR, "Not yet valid error - Check Time Skew\n"));
|
|
KerbReportApError(ErrorMessage, NULL);
|
|
Status = STATUS_TIME_DIFFERENCE_AT_DC;
|
|
}
|
|
else
|
|
{
|
|
DebugLog((DEB_ERROR, "InitSecContext Received KERB_ERROR message with error 0x%x, can't handle. %ws, line %d\n",
|
|
ErrorMessage->error_code, THIS_FILE, __LINE__));
|
|
|
|
Status = KerbMapKerbError((KERBERR) ErrorMessage->error_code);
|
|
if (NT_SUCCESS(Status)) // must fail here
|
|
{
|
|
Status = STATUS_INTERNAL_ERROR;
|
|
}
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Check to see if the server supports skew
|
|
//
|
|
|
|
if ((ErrorMessage->error_code == KRB_AP_ERR_SKEW) &&
|
|
(ErrorData == NULL) || ((ErrorData != NULL) && (ErrorData->data_type != KERB_AP_ERR_TYPE_SKEW_RECOVERY)))
|
|
{
|
|
//
|
|
// The server doesn't support skew recovery.
|
|
//
|
|
|
|
D_DebugLog((DEB_WARN, "SpInitLsaModeContext skew error but server doesn't handle skew recovery.\n"));
|
|
Status = KerbMapKerbError((KERBERR) ErrorMessage->error_code);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Here's where we'll punt "not yet valid tickets" and friends...
|
|
//
|
|
if (ErrorMessage->error_code == KRB_AP_ERR_TKT_NYV)
|
|
{
|
|
KerbPurgeServiceTicketAndTgt(
|
|
Context,
|
|
CredentialHandle,
|
|
CredManCredentials
|
|
);
|
|
|
|
DebugLog((DEB_ERROR, "Purged all tickets due to NYV error!\n"));
|
|
}
|
|
|
|
KerbWriteLockContexts();
|
|
Context->Retries++;
|
|
KerbUnlockContexts();
|
|
}
|
|
|
|
////////////////////////////////////////////////////
|
|
//
|
|
// We got an error we can handle. For user-to-user
|
|
// required, we received the TGT so we can get
|
|
// the appropriate ticket. For modified, we want
|
|
// to toss the old ticket & get a new one, hopefully
|
|
// with a better key.
|
|
//
|
|
////////////////////////////////////////////////////
|
|
if ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_USER_TO_USER_REQUIRED)
|
|
{
|
|
D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext received KRB_AP_ERR_USER_TO_USER_REQUIRED\n"));
|
|
|
|
if ((ErrorMessage->bit_mask & error_data_present) == 0)
|
|
{
|
|
DebugLog((DEB_ERROR, "Server requires user-to-user but didn't send TGT reply. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_NO_TGT_REPLY;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check for TGT reply
|
|
//
|
|
|
|
Status = KerbUnpackTgtReply(
|
|
Context,
|
|
ErrorMessage->error_data.value,
|
|
ErrorMessage->error_data.length,
|
|
&TargetInternalName,
|
|
&TargetDomainName,
|
|
&TgtReply
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR, "SpInitLsaModeContext failed to unpack tgt reply %#x\n", Status));
|
|
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Fall through into normal ticket handling
|
|
//
|
|
|
|
ContextFlags |= ISC_RET_USE_SESSION_KEY;
|
|
|
|
//
|
|
// Remove the old ticket cache entry
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
TicketCacheEntry = Context->TicketCacheEntry;
|
|
Context->TicketCacheEntry = NULL;
|
|
KerbUnlockContexts();
|
|
|
|
if (TicketCacheEntry != NULL)
|
|
{
|
|
KerbFreeString(
|
|
&TargetDomainName
|
|
);
|
|
KerbFreeKdcName(
|
|
&TargetInternalName
|
|
);
|
|
|
|
//
|
|
// Get the target name from the old ticket
|
|
//
|
|
KerbReadLockTicketCache();
|
|
Status = KerbDuplicateString(
|
|
&TargetDomainName,
|
|
&TicketCacheEntry->DomainName
|
|
);
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = KerbDuplicateKdcName(
|
|
&TargetInternalName,
|
|
TicketCacheEntry->ServiceName
|
|
);
|
|
}
|
|
|
|
KerbUnlockTicketCache();
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Free this ticket cache entry
|
|
//
|
|
|
|
KerbRemoveTicketCacheEntry(TicketCacheEntry);
|
|
|
|
//
|
|
// Remove the reference holding it to the context
|
|
//
|
|
|
|
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
|
|
|
|
TicketCacheEntry = NULL;
|
|
}
|
|
|
|
break;
|
|
}
|
|
else if ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_MODIFIED)
|
|
{
|
|
DebugLog((DEB_WARN, "App modified error (purge ticket!)\n"));
|
|
|
|
KerbWriteLockContexts();
|
|
TicketCacheEntry = Context->TicketCacheEntry;
|
|
Context->TicketCacheEntry = NULL;
|
|
KerbUnlockContexts();
|
|
|
|
if (TicketCacheEntry != NULL)
|
|
{
|
|
//
|
|
// Get rid of the old ticket in the context
|
|
|
|
KerbFreeString(
|
|
&TargetDomainName
|
|
);
|
|
KerbFreeKdcName(
|
|
&TargetInternalName
|
|
);
|
|
|
|
//
|
|
// Get the target name from the old ticket
|
|
//
|
|
KerbReadLockTicketCache();
|
|
Status = KerbDuplicateString(
|
|
&TargetDomainName,
|
|
&TicketCacheEntry->DomainName
|
|
);
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
|
|
Status = KerbDuplicateKdcName(
|
|
&TargetInternalName,
|
|
TicketCacheEntry->ServiceName
|
|
);
|
|
}
|
|
KerbUnlockTicketCache();
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
//
|
|
// Free this ticket cache entry
|
|
//
|
|
|
|
KerbRemoveTicketCacheEntry(TicketCacheEntry);
|
|
|
|
//
|
|
// Remove the reference holding it to the context
|
|
//
|
|
|
|
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
|
|
|
|
TicketCacheEntry = NULL;
|
|
}
|
|
}
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
////////////////////////////////////////////////////
|
|
//
|
|
// We successfully decrypted the AP reply. At this point
|
|
// we want to finalize the context. For DCE style we send
|
|
// a useless AP reply to the server.
|
|
//
|
|
////////////////////////////////////////////////////
|
|
|
|
//
|
|
// If the caller wanted DCE style authentication, build another
|
|
// AP reply
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
|
|
if ((Context->ContextFlags & ISC_RET_USED_DCE_STYLE) != 0)
|
|
{
|
|
DoThirdLeg = TRUE;
|
|
}
|
|
else
|
|
{
|
|
DoThirdLeg = FALSE;
|
|
}
|
|
|
|
Context->ReceiveNonce = ReceiveNonce;
|
|
|
|
KerbUnlockContexts();
|
|
|
|
if (DoThirdLeg)
|
|
{
|
|
//
|
|
// Build an AP reply to send back to the server.
|
|
//
|
|
|
|
Status = KerbBuildThirdLegApReply(
|
|
Context,
|
|
ReceiveNonce,
|
|
&Reply,
|
|
&ReplySize
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to build AP reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (OutputToken == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Output token missing. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Return the AP reply in the output buffer.
|
|
//
|
|
|
|
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0)
|
|
{
|
|
if (OutputToken->cbBuffer < ReplySize)
|
|
{
|
|
ULONG ErrorData[3];
|
|
|
|
ErrorData[0] = ReplySize;
|
|
ErrorData[1] = OutputToken->cbBuffer;
|
|
ErrorData[2] = ClientProcess;
|
|
|
|
DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n",
|
|
OutputToken->cbBuffer,ReplySize, THIS_FILE, __LINE__ ));
|
|
OutputToken->cbBuffer = ReplySize;
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
|
|
KerbReportNtstatus(
|
|
KERBEVT_INSUFFICIENT_TOKEN_SIZE,
|
|
Status,
|
|
NULL,
|
|
0,
|
|
ErrorData,
|
|
3
|
|
);
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
OutputToken->pvBuffer,
|
|
Reply,
|
|
ReplySize
|
|
);
|
|
}
|
|
else
|
|
{
|
|
OutputToken->pvBuffer = Reply;
|
|
Reply = NULL;
|
|
*ContextAttributes |= ISC_RET_ALLOCATED_MEMORY;
|
|
}
|
|
OutputToken->cbBuffer = ReplySize;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// No return message, so set the return length to zero.
|
|
//
|
|
|
|
if (OutputToken != NULL)
|
|
{
|
|
OutputToken->cbBuffer = 0;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// We are doing datagram, so we don't expect anything from the
|
|
// server but perhaps an error. If we get an error, handle it.
|
|
// Otherwise, build an AP request to send to the server
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// We are doing datagram. Build the AP request for the
|
|
// server side.
|
|
//
|
|
|
|
//
|
|
// Check for an error message
|
|
//
|
|
|
|
if ((InputToken != NULL) && (InputToken->cbBuffer != 0))
|
|
{
|
|
Status = KerbReceiveErrorMessage(
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
Context,
|
|
&ErrorMessage,
|
|
&ErrorData
|
|
);
|
|
DebugLog((DEB_TRACE, "SpInitLsaModeContext datagram called KerbReceiveErrorMessage %#x\n", Status));
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReportKerbError(
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
KLIN(FILENO, __LINE__),
|
|
ErrorMessage,
|
|
((NULL != ErrorMessage) ? ErrorMessage->error_code : KRB_ERR_GENERIC),
|
|
pExtendedError,
|
|
FALSE
|
|
);
|
|
|
|
//
|
|
// Check for a real error
|
|
//
|
|
|
|
if ((ErrorData != NULL) && (ErrorData->data_type == KERB_AP_ERR_TYPE_NTSTATUS) &&
|
|
((ErrorData->bit_mask & data_value_present) != 0) &&
|
|
(ErrorData->data_value.value != NULL) &&
|
|
(ErrorData->data_value.length == sizeof(ULONG)))
|
|
{
|
|
Status = *((PULONG)ErrorMessage->error_data.value);
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = STATUS_INTERNAL_ERROR;
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Get the associated credential
|
|
//
|
|
|
|
Status = KerbReferenceCredential(
|
|
CredentialHandle,
|
|
KERB_CRED_OUTBOUND | KERB_CRED_TGT_AVAIL,
|
|
FALSE,
|
|
&Credential);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN,"Failed to locate credential: 0x%x\n",Status));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Get the logon id from the credentials so we can locate the
|
|
// logon session.
|
|
//
|
|
|
|
LogonId = Credential->LogonId;
|
|
|
|
//
|
|
// Get the logon session
|
|
//
|
|
|
|
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE );
|
|
if (LogonSession == NULL)
|
|
{
|
|
Status = STATUS_NO_SUCH_LOGON_SESSION;
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
|
|
|
|
if (Credential->SuppliedCredentials != NULL)
|
|
{
|
|
GetAuthTicket = TRUE;
|
|
} else if (((Credential->CredentialFlags & KERB_CRED_NULL_SESSION) != 0) ||
|
|
((ContextRequirements & ISC_REQ_NULL_SESSION) != 0))
|
|
{
|
|
UseNullSession = TRUE;
|
|
ContextFlags |= ISC_RET_NULL_SESSION;
|
|
}
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
|
|
KerbReadLockContexts();
|
|
|
|
TicketCacheEntry = Context->TicketCacheEntry;
|
|
|
|
//
|
|
// Get the session key to use from the context
|
|
//
|
|
|
|
if (Context->SessionKey.keyvalue.value != 0)
|
|
{
|
|
if (!KERB_SUCCESS(KerbDuplicateKey(
|
|
&SubSessionKey,
|
|
&Context->SessionKey
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
}
|
|
|
|
Context->TicketCacheEntry = NULL;
|
|
|
|
KerbUnlockContexts();
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT2,"Building AP request for datagram oriented context\n"));
|
|
|
|
//
|
|
// If we are building a null session, build the special null
|
|
// session AP request
|
|
//
|
|
|
|
if (UseNullSession)
|
|
{
|
|
Status = KerbBuildNullSessionApRequest(
|
|
&Request,
|
|
&RequestSize
|
|
);
|
|
//
|
|
// Turn off all unsupported flags
|
|
//
|
|
|
|
ContextFlags &= ( ISC_RET_ALLOCATED_MEMORY |
|
|
ISC_RET_CONNECTION |
|
|
ISC_RET_DATAGRAM |
|
|
ISC_RET_NULL_SESSION );
|
|
}
|
|
else
|
|
{
|
|
if (TicketCacheEntry == NULL)
|
|
{
|
|
DebugLog((DEB_ERROR, "SpInitLsaModeContext does have service ticket\n"));
|
|
|
|
Status = STATUS_INTERNAL_ERROR;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Status = KerbBuildApRequest(
|
|
LogonSession,
|
|
Credential,
|
|
CredManCredentials,
|
|
TicketCacheEntry,
|
|
ErrorMessage,
|
|
ContextAttribs,
|
|
&ContextFlags,
|
|
&Request,
|
|
&RequestSize,
|
|
&Nonce,
|
|
&AuthenticatorTime,
|
|
&SubSessionKey,
|
|
pChannelBindings
|
|
);
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to build AP request: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Return the AP request in the output buffer.
|
|
//
|
|
|
|
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0)
|
|
{
|
|
if (OutputToken->cbBuffer < RequestSize)
|
|
{
|
|
ULONG ErrorData[3];
|
|
|
|
ErrorData[0] = RequestSize;
|
|
ErrorData[1] = OutputToken->cbBuffer;
|
|
ErrorData[2] = ClientProcess;
|
|
|
|
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n",
|
|
OutputToken->cbBuffer,RequestSize, THIS_FILE, __LINE__ ));
|
|
OutputToken->cbBuffer = RequestSize;
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
|
|
KerbReportNtstatus(
|
|
KERBEVT_INSUFFICIENT_TOKEN_SIZE,
|
|
Status,
|
|
NULL,
|
|
0,
|
|
ErrorData,
|
|
3
|
|
);
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
OutputToken->pvBuffer,
|
|
Request,
|
|
RequestSize
|
|
);
|
|
}
|
|
else
|
|
{
|
|
OutputToken->pvBuffer = Request;
|
|
*ContextAttributes |= ISC_RET_ALLOCATED_MEMORY;
|
|
Request = NULL;
|
|
}
|
|
|
|
OutputToken->cbBuffer = RequestSize;
|
|
}
|
|
|
|
//
|
|
//
|
|
// We're done - we finalized.
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
KerbReadLockContexts();
|
|
Context->ContextFlags = ContextFlags;
|
|
*ContextAttributes |= Context->ContextFlags;
|
|
|
|
KerbUtcTimeToLocalTime(
|
|
ExpirationTime,
|
|
&Context->Lifetime
|
|
);
|
|
*NewContextHandle = ContextHandle;
|
|
KerbUnlockContexts();
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// We need to create a request to the server, possibly a TGT request
|
|
// or an AP request depending on what phase of the protocol we're in.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
DsysAssert(!((Context != NULL) ^ ((ErrorMessage != NULL) || (TgtReply != NULL))));
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT,"SpInitLsaModeContext: First call to Initialize\n"));
|
|
|
|
//
|
|
// This is the case where we are constructing a new context.
|
|
//
|
|
|
|
//
|
|
// Get the associated credential and its TGT, if needed
|
|
//
|
|
|
|
Status = KerbReferenceCredential(
|
|
CredentialHandle,
|
|
KERB_CRED_OUTBOUND | KERB_CRED_TGT_AVAIL,
|
|
FALSE,
|
|
&Credential
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
InitialStatus = Status;
|
|
|
|
Status = KerbReferenceCredential(
|
|
CredentialHandle,
|
|
KERB_CRED_OUTBOUND,
|
|
FALSE,
|
|
&Credential
|
|
);
|
|
if( !NT_SUCCESS( Status ) || Credential->SuppliedCredentials != NULL)
|
|
{
|
|
Status = InitialStatus;
|
|
D_DebugLog((DEB_WARN,"Failed to locate credential 0x%x\n",Status));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// if we got here, only explicit or credman creds are allowed.
|
|
// If the explicit creds failed to get a TGT from above, its also
|
|
// time to bail, as explicit creds never should fall back to credman.
|
|
//
|
|
// We may also try to use S4U
|
|
//
|
|
}
|
|
|
|
//
|
|
// Get the logon id from the credentials so we can locate the
|
|
// logon session.
|
|
//
|
|
|
|
LogonId = Credential->LogonId;
|
|
|
|
//
|
|
// Get the logon session
|
|
//
|
|
|
|
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE );
|
|
if (LogonSession == NULL)
|
|
{
|
|
Status = STATUS_NO_SUCH_LOGON_SESSION;
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionFlags = LogonSession->LogonSessionFlags;
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
|
|
//
|
|
// Make some decisions based on the state of the credential. If using
|
|
// supplied credentials, make decisions based on the logon session.
|
|
// or presense of credman credentials.
|
|
//
|
|
|
|
if (Credential->SuppliedCredentials != NULL)
|
|
{
|
|
GetAuthTicket = TRUE;
|
|
}
|
|
else if (((Credential->CredentialFlags & KERB_CRED_NULL_SESSION) != 0) ||
|
|
((ContextRequirements & ISC_REQ_NULL_SESSION) != 0))
|
|
{
|
|
UseNullSession = TRUE;
|
|
ContextFlags |= ISC_RET_NULL_SESSION;
|
|
}
|
|
else if ((LogonSessionFlags & KERB_LOGON_S4U_REQUIRED) != 0)
|
|
{
|
|
//
|
|
// Evaluate the current state of the logon session. If its an S4U one,
|
|
// but isn't marked for delegate, then this will be a NULL session.
|
|
//
|
|
|
|
if ((LogonSessionFlags & KERB_LOGON_DELEGATE_OK) == 0)
|
|
{
|
|
DebugLog((DEB_ERROR, "Calling ISC from a nondelegatable S4U ls (%p)\n", LogonSession));
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto Cleanup;
|
|
}
|
|
else
|
|
{
|
|
DebugLog((DEB_TRACE_S4U, "Trying S4UProxy for ls %p\n", LogonSession));
|
|
|
|
//
|
|
// The other 2 forms of S4U possibilities (dummy & delegate OK) will
|
|
// either have a ticket, or require an S4U ticket. Handle this by
|
|
// prefetching the S4U ticket as evidence for S4U request.
|
|
//
|
|
Status = KerbGetS4UProxyEvidence(
|
|
LogonSession,
|
|
TargetInternalName,
|
|
Credential->ClientProcess,
|
|
&CallerLogonSession,
|
|
&EvidenceTicket
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR, "Failed to get S4UProxy Evidence ticket %x \n", Status));
|
|
Status = SEC_E_NO_CREDENTIALS; // fall back to anony / NTLM...
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// go to the credential manager to try and find
|
|
// credentials for this specific target
|
|
//
|
|
|
|
ULONG ExtraTargetFlags = 0;
|
|
|
|
|
|
if ((ContextRequirements & ISC_REQ_USE_SUPPLIED_CREDS) != 0)
|
|
{
|
|
ExtraTargetFlags = CRED_TI_ONLY_PASSWORD_REQUIRED;
|
|
}
|
|
|
|
KerbWriteLockLogonSessions(LogonSession);
|
|
Status = KerbCheckCredMgrForGivenTarget(
|
|
LogonSession,
|
|
Credential,
|
|
TargetName, // original targetname, may contain marshalled targetinfo
|
|
TargetInternalName,
|
|
ExtraTargetFlags,
|
|
&TargetDomainName,
|
|
NULL,
|
|
&CredManCredentials,
|
|
&pbMarshalledTargetInfo,
|
|
&cbMarshalledTargetInfo
|
|
);
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "SpInitLsaModeContext failed to get outbound ticket, KerbCheckCredMgrForGivenTarget failed with 0x%x\n", Status));
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (CredManCredentials != NULL)
|
|
{
|
|
GetAuthTicket = TRUE;
|
|
ProcessFlags &= ~KERB_TARGET_UNKNOWN_SPN;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// if this is a local account logon then we have to have a cred man
|
|
// credential
|
|
//
|
|
if ((Credential->CredentialFlags & KERB_CRED_LOCAL_ACCOUNT) != 0)
|
|
{
|
|
D_DebugLog((DEB_WARN, "Trying to use a local logon session with Kerberos\n"));
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// if no credman cred was found, we didn't use explicit creds,
|
|
// and the initial credential reference for TGT_AVAIL failed, bail now.
|
|
//
|
|
if( !NT_SUCCESS( InitialStatus ) )
|
|
{
|
|
Status = InitialStatus;
|
|
D_DebugLog((DEB_WARN,"Failed to locate credential 0x%x\n",Status));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
}
|
|
|
|
#if DBG
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
D_DebugLog((DEB_TRACE_CTXT, "SpInitLsaModeContext: Initailizing context for %wZ\\%wZ\n",
|
|
&LogonSession->PrimaryCredentials.DomainName,
|
|
&LogonSession->PrimaryCredentials.UserName ));
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
#endif
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Process all the context requirements. We don't support all of them
|
|
// and some of them are mutually exclusive. In general, we don't fail
|
|
// if we're asked to do something we can't do, unless it seems mandatory,
|
|
// like allocating memory.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// Figure out the context flags
|
|
//
|
|
|
|
if ((ContextRequirements & ISC_REQ_MUTUAL_AUTH) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT,"Client wants mutual auth.\n"));
|
|
ContextFlags |= ISC_RET_MUTUAL_AUTH;
|
|
}
|
|
|
|
|
|
if ((ContextRequirements & ISC_REQ_SEQUENCE_DETECT) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants sequence detect\n"));
|
|
ContextFlags |= ISC_RET_SEQUENCE_DETECT | ISC_RET_INTEGRITY;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_REPLAY_DETECT) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants replay detect\n"));
|
|
ContextFlags |= ISC_RET_REPLAY_DETECT | ISC_RET_INTEGRITY;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_INTEGRITY) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants integrity\n"));
|
|
ContextFlags |= ISC_RET_INTEGRITY;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_CONFIDENTIALITY) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants privacy\n"));
|
|
ContextFlags |= (ISC_RET_CONFIDENTIALITY |
|
|
ISC_RET_INTEGRITY |
|
|
ISC_RET_SEQUENCE_DETECT |
|
|
ISC_RET_REPLAY_DETECT );
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_USE_DCE_STYLE) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants DCE style\n"));
|
|
ContextFlags |= ISC_RET_USED_DCE_STYLE;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_EXTENDED_ERROR) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants extended error\n"));
|
|
ContextFlags |= ISC_RET_EXTENDED_ERROR;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_DATAGRAM) != 0)
|
|
{
|
|
if ((ContextRequirements & ISC_REQ_CONNECTION) != 0)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Client wanted both data gram and connection. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = SEC_E_UNSUPPORTED_FUNCTION;
|
|
goto Cleanup;
|
|
}
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants Datagram style\n"));
|
|
ContextFlags |= ISC_RET_DATAGRAM;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_USE_SESSION_KEY) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext Client wants sub-session key\n"));
|
|
|
|
//
|
|
// Can't do this with datagram because we need to be able to
|
|
// start sealing messages after the first call to Initialize.
|
|
//
|
|
// With a null session there is no real ticket so we don't ever
|
|
// need the server TGT either.
|
|
//
|
|
// Can't do DCE style because they don't have this.
|
|
//
|
|
|
|
if (!UseNullSession && (ContextRequirements & (ISC_REQ_DATAGRAM | ISC_REQ_USE_DCE_STYLE)) == 0)
|
|
{
|
|
//
|
|
// If we are in the first call, get a server TGT
|
|
//
|
|
|
|
if (ContextState == InvalidState)
|
|
{
|
|
GetServerTgt = TRUE;
|
|
}
|
|
ContextFlags |= ISC_RET_USE_SESSION_KEY;
|
|
}
|
|
else
|
|
{
|
|
DebugLog((DEB_WARN, "SpInitLsaModeContext Client wanted both datagram and session key, dropping session key\n"));
|
|
}
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_DELEGATE) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants Delegation\n"));
|
|
if ((ContextFlags & ISC_RET_MUTUAL_AUTH) == 0)
|
|
{
|
|
D_DebugLog((DEB_WARN,"Can't do delegate without mutual\n"));
|
|
}
|
|
else
|
|
{
|
|
ContextFlags |= ISC_RET_DELEGATE;
|
|
}
|
|
}
|
|
else if ((ContextRequirements & ISC_REQ_DELEGATE_IF_SAFE) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants Delegation, if safe\n"));
|
|
if ((ContextFlags & ISC_RET_MUTUAL_AUTH) == 0)
|
|
{
|
|
D_DebugLog((DEB_WARN,"Can't do delegate without mutual\n"));
|
|
}
|
|
else
|
|
{
|
|
ContextFlags |= ISC_RET_DELEGATE_IF_SAFE;
|
|
}
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_CONNECTION) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants Connection style\n"));
|
|
ContextFlags |= ISC_RET_CONNECTION;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_IDENTIFY) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT, "Client wants Identify level\n"));
|
|
ContextFlags |= ISC_RET_IDENTIFY;
|
|
if (((ContextRequirements & ISC_REQ_DELEGATE) != 0) ||
|
|
((ContextRequirements & ISC_REQ_DELEGATE_IF_SAFE) != 0))
|
|
{
|
|
D_DebugLog((DEB_WARN, "Client wants Delegation and Indentify, turning off delegation\n"));
|
|
ContextFlags &= ~ISC_RET_DELEGATE;
|
|
ContextFlags &= ~ISC_RET_DELEGATE_IF_SAFE;
|
|
}
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Get the ticket necessary to process the request. At this point:
|
|
// - TicketCacheEntry should contain the ticket to re-use
|
|
// - ErrorMessage should contain the error message, if there was one
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// Get the outbound ticket. If the credential has attached supplied
|
|
// credentials, get an AS ticket instead.
|
|
//
|
|
|
|
if (GetServerTgt)
|
|
{
|
|
//
|
|
// Nothing to do
|
|
//
|
|
|
|
}
|
|
else if (!UseNullSession)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT,"SpInitLsaModeContext: Getting outbound ticket for %wZ (%wZ) or ",
|
|
TargetName, &LocalTargetName));
|
|
D_KerbPrintKdcName((DEB_TRACE_CTXT, TargetInternalName));
|
|
|
|
//
|
|
// If we got a skew error and we already have a cached ticket, don't
|
|
// bother getting a new ticket.
|
|
//
|
|
|
|
KerbReadLockContexts();
|
|
|
|
if (ErrorMessage != NULL)
|
|
{
|
|
if (((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_SKEW) &&
|
|
(Context->TicketCacheEntry != NULL))
|
|
{
|
|
TicketCacheEntry = Context->TicketCacheEntry;
|
|
KerbReferenceTicketCacheEntry(Context->TicketCacheEntry);
|
|
}
|
|
}
|
|
KerbUnlockContexts();
|
|
|
|
//
|
|
// If we don't have a ticket in the context, go ahead and get
|
|
// a new ticket
|
|
//
|
|
|
|
if ( EvidenceTicket != NULL )
|
|
{
|
|
Status = KerbGetServiceTicketByS4UProxy(
|
|
LogonSession,
|
|
CallerLogonSession,
|
|
Credential,
|
|
EvidenceTicket,
|
|
TargetInternalName,
|
|
&TargetDomainName,
|
|
SpnCacheEntry,
|
|
ProcessFlags,
|
|
TicketOptions,
|
|
0, // no enc type
|
|
ErrorMessage,
|
|
NULL, // no authorization data
|
|
TgtReply,
|
|
&TicketCacheEntry,
|
|
NULL // don't return logon guid
|
|
);
|
|
if (Status == STATUS_USER2USER_REQUIRED)
|
|
{
|
|
D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext failed to get serviceticket ByS4UProxy: STATUS_USER2USER_REQUIRED\n"));
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
ContextFlags |= ISC_RET_USE_SESSION_KEY;
|
|
GetServerTgt = TRUE;
|
|
}
|
|
else if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN, "SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicketByS4UProxy failed 0x%x\n",Status));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
else if (TicketCacheEntry == NULL)
|
|
{
|
|
D_DebugLog((DEB_TRACE, "SpInitLsaModeContext getting service ticket\n"));
|
|
Status = KerbGetServiceTicket(
|
|
LogonSession,
|
|
Credential,
|
|
CredManCredentials,
|
|
TargetInternalName,
|
|
&TargetDomainName,
|
|
SpnCacheEntry,
|
|
ProcessFlags,
|
|
TicketOptions,
|
|
0, // no enc type
|
|
ErrorMessage,
|
|
NULL, // no authorization data
|
|
TgtReply,
|
|
&TicketCacheEntry,
|
|
NULL // don't return logon guid
|
|
);
|
|
if (Status == STATUS_USER2USER_REQUIRED)
|
|
{
|
|
D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext failed to get serviceticket: STATUS_USER2USER_REQUIRED\n"));
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
ContextFlags |= ISC_RET_USE_SESSION_KEY;
|
|
GetServerTgt = TRUE;
|
|
}
|
|
else if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN, "SpInitLsaModeContext failed to get outbound ticket, KerbGetServiceTicket failed with 0x%x\n",Status));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// fail user2user in data gram: not enough round trips to complete the protocol
|
|
//
|
|
|
|
if ((ContextFlags & ISC_RET_USE_SESSION_KEY) && (ContextFlags & ISC_RET_DATAGRAM))
|
|
{
|
|
DebugLog((DEB_ERROR, "SpInitLsaModeContext Client needed session key in datagram, dropping session key\n"));
|
|
|
|
ContextFlags |= ~ISC_RET_USE_SESSION_KEY;
|
|
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Turn off all unsupported flags
|
|
//
|
|
|
|
ContextFlags &= ( ISC_RET_ALLOCATED_MEMORY |
|
|
ISC_RET_CONNECTION |
|
|
ISC_RET_DATAGRAM |
|
|
ISC_RET_NULL_SESSION );
|
|
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Build the request - an AP request for standard Kerberos, or a TGT
|
|
// request.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// For datagram requests, there is no output.
|
|
//
|
|
|
|
if ((ContextFlags & ISC_RET_DATAGRAM) == 0)
|
|
{
|
|
//
|
|
// This is the case where we are constructing a response.
|
|
//
|
|
|
|
if (OutputToken == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Trying to initialize a context with no output token! %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (UseNullSession)
|
|
{
|
|
Status = KerbBuildNullSessionApRequest(
|
|
&Request,
|
|
&RequestSize
|
|
);
|
|
}
|
|
else if (GetServerTgt)
|
|
{
|
|
D_DebugLog((DEB_TRACE, "Building TGT request for "));
|
|
D_KerbPrintKdcName((DEB_TRACE, TargetInternalName));
|
|
|
|
if (((ContextRequirements & ISC_REQ_MUTUAL_AUTH) != 0) &&
|
|
(!ARGUMENT_PRESENT(TargetName) || TargetName->Length == 0))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "Client wanted mutual auth, but did not supply target name\n"));
|
|
Status = SEC_E_UNSUPPORTED_FUNCTION;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Status = KerbBuildTgtRequest(
|
|
TargetInternalName,
|
|
&TargetDomainName,
|
|
&ContextAttribs,
|
|
&Request,
|
|
&RequestSize
|
|
);
|
|
|
|
D_DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext built TGT request %#x\n", Status));
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT2,"Building AP request for connection oriented context\n"));
|
|
|
|
Status = KerbBuildApRequest(
|
|
LogonSession,
|
|
Credential,
|
|
CredManCredentials,
|
|
TicketCacheEntry,
|
|
ErrorMessage,
|
|
ContextAttribs,
|
|
&ContextFlags,
|
|
&Request,
|
|
&RequestSize,
|
|
&Nonce,
|
|
&AuthenticatorTime,
|
|
&SubSessionKey,
|
|
pChannelBindings
|
|
);
|
|
//
|
|
// Set the receive nonce to be the nonce, as the code below
|
|
// expects it to be valid.
|
|
//
|
|
|
|
ReceiveNonce = Nonce;
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to build AP request: 0x%x\n. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (OutputToken == NULL)
|
|
{
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Return the AP request in the output buffer.
|
|
//
|
|
|
|
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0)
|
|
{
|
|
if (OutputToken->cbBuffer < RequestSize)
|
|
{
|
|
ULONG ErrorData[3];
|
|
|
|
ErrorData[0] = RequestSize;
|
|
ErrorData[1] = OutputToken->cbBuffer;
|
|
ErrorData[2] = ClientProcess;
|
|
|
|
|
|
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n",
|
|
OutputToken->cbBuffer,RequestSize, THIS_FILE, __LINE__ ));
|
|
OutputToken->cbBuffer = RequestSize;
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
|
|
KerbReportNtstatus(
|
|
KERBEVT_INSUFFICIENT_TOKEN_SIZE,
|
|
Status,
|
|
NULL,
|
|
0,
|
|
ErrorData,
|
|
3
|
|
);
|
|
|
|
goto Cleanup;
|
|
|
|
}
|
|
RtlCopyMemory(
|
|
OutputToken->pvBuffer,
|
|
Request,
|
|
RequestSize
|
|
);
|
|
}
|
|
else
|
|
{
|
|
OutputToken->pvBuffer = Request;
|
|
if (OutputToken->pvBuffer == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
*ContextAttributes |= ISC_RET_ALLOCATED_MEMORY;
|
|
|
|
//
|
|
// Set this to NULL so it won't be freed by us on cleanup.
|
|
//
|
|
|
|
Request = NULL;
|
|
}
|
|
|
|
OutputToken->cbBuffer = RequestSize;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// All we do here is allocate a nonce for use in the context.
|
|
//
|
|
|
|
Nonce = KerbAllocateNonce();
|
|
if (OutputToken != NULL)
|
|
{
|
|
OutputToken->cbBuffer = 0;
|
|
}
|
|
}
|
|
|
|
//////////////////////////////////////////////////////////////////////
|
|
//
|
|
// If we haven't yet created a context, created one now. If we have,
|
|
// update the context with the latest status.
|
|
//
|
|
/////////////////////////////////////////////////////////////////////
|
|
|
|
//
|
|
// Allocate a client context, if we don't already have one
|
|
//
|
|
|
|
if (Context == NULL)
|
|
{
|
|
Status = KerbCreateClientContext(
|
|
LogonSession,
|
|
Credential,
|
|
CredManCredentials,
|
|
TicketCacheEntry,
|
|
TargetName,
|
|
Nonce,
|
|
&AuthenticatorTime,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
&SubSessionKey,
|
|
&Context,
|
|
&ContextLifetime
|
|
);
|
|
|
|
//CredManCredentials = NULL;
|
|
}
|
|
else
|
|
{
|
|
Status = KerbUpdateClientContext(
|
|
Context,
|
|
TicketCacheEntry,
|
|
Nonce,
|
|
&AuthenticatorTime,
|
|
ReceiveNonce,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
&SubSessionKey,
|
|
&ContextLifetime
|
|
);
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to create client context: 0x%x. %ws, line %d\n",
|
|
Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Keep track of network service session keys to detect whether network
|
|
// logon session is for local network service
|
|
//
|
|
|
|
if (RtlEqualLuid(&LogonId, &LocalSystemLuid))
|
|
{
|
|
FILETIME CurTime = {0};
|
|
GetSystemTimeAsFileTime(&CurTime);
|
|
|
|
//
|
|
// use 2 times KerbGlobalSkewTime as ticket life time
|
|
//
|
|
|
|
KerbGetTime(*((TimeStamp*) &CurTime)) += 2 * KerbGetTime(KerbGlobalSkewTime);
|
|
|
|
Status = KerbCreateSKeyEntry(&SubSessionKey, &CurTime);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to create session key entry: 0x%x. %ws, line %d\n",
|
|
Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Hold on to the ticket for later use
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
if ((Context->TicketCacheEntry == NULL) && (TicketCacheEntry != NULL))
|
|
{
|
|
KerbReferenceTicketCacheEntry(TicketCacheEntry);
|
|
Context->TicketCacheEntry = TicketCacheEntry;
|
|
}
|
|
ClientProcess = Context->ClientProcess;
|
|
KerbUnlockContexts();
|
|
|
|
//
|
|
// update the context with the marshalled target info.
|
|
//
|
|
|
|
if( NT_SUCCESS(Status) && pbMarshalledTargetInfo )
|
|
{
|
|
if( Context->pbMarshalledTargetInfo == NULL )
|
|
{
|
|
Context->pbMarshalledTargetInfo = pbMarshalledTargetInfo;
|
|
Context->cbMarshalledTargetInfo = cbMarshalledTargetInfo;
|
|
pbMarshalledTargetInfo = NULL;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Return the correct flags
|
|
//
|
|
|
|
*NewContextHandle = KerbGetContextHandle(Context);
|
|
|
|
*ContextAttributes |= ContextFlags;
|
|
|
|
KerbUtcTimeToLocalTime(
|
|
ExpirationTime,
|
|
&ContextLifetime
|
|
);
|
|
|
|
//
|
|
// If mutual authentication was requested, ask for a continuation
|
|
//
|
|
|
|
if (((ContextFlags & ( ISC_RET_USED_DCE_STYLE |
|
|
ISC_RET_DATAGRAM |
|
|
ISC_RET_MUTUAL_AUTH )) != 0) ||
|
|
GetServerTgt )
|
|
{
|
|
Status = SEC_I_CONTINUE_NEEDED;
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
// Adjust for the new meaning of delegate/delegate-if-safe if they got munged somehow.
|
|
|
|
if (ClientAskedForDelegateIfSafe && (*ContextAttributes & ISC_RET_DELEGATE))
|
|
{
|
|
(*ContextAttributes) &= ~ISC_RET_DELEGATE;
|
|
(*ContextAttributes) |= ISC_RET_DELEGATE_IF_SAFE;
|
|
}
|
|
else if ((ClientAskedForDelegate) && (*ContextAttributes & ISC_RET_DELEGATE_IF_SAFE))
|
|
{
|
|
(*ContextAttributes) &= ~ISC_RET_DELEGATE_IF_SAFE;
|
|
(*ContextAttributes) |= ISC_RET_DELEGATE;
|
|
}
|
|
|
|
if ( Status == STATUS_WRONG_PASSWORD )
|
|
{
|
|
//
|
|
// don't leak WRONG_PASSWORD to the caller.
|
|
//
|
|
|
|
Status = STATUS_LOGON_FAILURE;
|
|
}
|
|
|
|
if( KerbEventTraceFlag ) // Event Trace: KerbInitSecurityContextEnd {Status, CredSource, DomainName, UserName, Target, (ExtErr), (Klininfo)}
|
|
{
|
|
PCWSTR TraceStrings[] =
|
|
{
|
|
L"CredMan",
|
|
L"Supplied",
|
|
L"Context",
|
|
L"LogonSession",
|
|
L"None"
|
|
};
|
|
enum { TSTR_CREDMAN = 0, TSTR_SUPPLIED, TSTR_CONTEXT, TSTR_LOGONSESSION, TSTR_NONE };
|
|
UNICODE_STRING UNICODE_NONE = { 4*sizeof(WCHAR), 4*sizeof(WCHAR), L"NONE" };
|
|
|
|
UNICODE_STRING CredSource;
|
|
PUNICODE_STRING trace_DomainName, trace_UserName, trace_target;
|
|
|
|
trace_target = (Context != NULL) ? &Context->ServerPrincipalName : &UNICODE_NONE;
|
|
|
|
if( Context != NULL && Context->CredManCredentials != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CREDMAN] );
|
|
trace_DomainName = &Context->CredManCredentials->SuppliedCredentials->DomainName;
|
|
trace_UserName = &Context->CredManCredentials->SuppliedCredentials->UserName;
|
|
}
|
|
else if( Credential != NULL && Credential->SuppliedCredentials != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_SUPPLIED] );
|
|
trace_DomainName = &Credential->SuppliedCredentials->DomainName;
|
|
trace_UserName = &Credential->SuppliedCredentials->UserName;
|
|
}
|
|
else if( Context != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CONTEXT] );
|
|
trace_DomainName = &Context->ClientRealm;
|
|
trace_UserName = &Context->ClientName;
|
|
}
|
|
else if( LogonSession != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_LOGONSESSION] );
|
|
trace_DomainName = &LogonSession->PrimaryCredentials.DomainName;
|
|
trace_UserName = &LogonSession->PrimaryCredentials.UserName;
|
|
}
|
|
else
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_NONE] );
|
|
trace_DomainName = &UNICODE_NONE;
|
|
trace_UserName = &UNICODE_NONE;
|
|
}
|
|
|
|
INSERT_ULONG_INTO_MOF( Status, InitSCTraceInfo.MofData, 0 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( CredSource, InitSCTraceInfo.MofData, 1 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( *trace_DomainName, InitSCTraceInfo.MofData, 3 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( *trace_UserName, InitSCTraceInfo.MofData, 5 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( *trace_target, InitSCTraceInfo.MofData, 7 );
|
|
InitSCTraceInfo.EventTrace.Size = sizeof(EVENT_TRACE_HEADER) + 9*sizeof(MOF_FIELD);
|
|
|
|
//Check for extended error
|
|
if( pExtendedError != NULL )
|
|
{
|
|
INSERT_ULONG_INTO_MOF( pExtendedError->status, InitSCTraceInfo.MofData, 9 );
|
|
INSERT_ULONG_INTO_MOF( pExtendedError->klininfo, InitSCTraceInfo.MofData, 10 );
|
|
InitSCTraceInfo.EventTrace.Size += 2*sizeof(MOF_FIELD);
|
|
}
|
|
|
|
// Set trace parameters
|
|
InitSCTraceInfo.EventTrace.Guid = KerbInitSCGuid;
|
|
InitSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_END;
|
|
InitSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID | WNODE_FLAG_USE_MOF_PTR;
|
|
|
|
TraceEvent(
|
|
KerbTraceLoggerHandle,
|
|
(PEVENT_TRACE_HEADER)&InitSCTraceInfo
|
|
);
|
|
}
|
|
|
|
//
|
|
// If we allocated a context, unlink it now
|
|
//
|
|
|
|
if (Context != NULL)
|
|
{
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Only unlink the context if we just created it
|
|
//
|
|
|
|
if (ContextHandle == 0)
|
|
{
|
|
KerbReferenceContextByPointer(
|
|
Context,
|
|
TRUE
|
|
);
|
|
KerbDereferenceContext(Context);
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Set the context to an invalid state.
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
Context->ContextState = InvalidState;
|
|
KerbUnlockContexts();
|
|
}
|
|
}
|
|
else
|
|
{
|
|
KerbWriteLockContexts();
|
|
if (Status == STATUS_SUCCESS)
|
|
{
|
|
Context->ContextState = AuthenticatedState;
|
|
}
|
|
else if (!GetServerTgt)
|
|
{
|
|
Context->ContextState = ApRequestSentState;
|
|
}
|
|
else
|
|
{
|
|
Context->ContextState = TgtRequestSentState;
|
|
|
|
//
|
|
// mark the context as user2user
|
|
//
|
|
|
|
Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
|
|
DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext (TGT in TGT reply) USER2USER-OUTBOUND set\n"));
|
|
}
|
|
KerbUnlockContexts();
|
|
}
|
|
KerbDereferenceContext(Context);
|
|
}
|
|
|
|
if ((Status == STATUS_SUCCESS) ||
|
|
((Status == SEC_I_CONTINUE_NEEDED) && ((ContextFlags & ISC_RET_DATAGRAM) != 0)))
|
|
{
|
|
NTSTATUS TempStatus;
|
|
|
|
//
|
|
// On real success we map the context to the callers address
|
|
// space.
|
|
//
|
|
|
|
TempStatus = KerbMapContext(
|
|
Context,
|
|
MappedContext,
|
|
ContextData
|
|
);
|
|
|
|
D_DebugLog((DEB_TRACE, "SpInitLsaModeContext called KerbMapContext ContextAttributes %#x, %#x\n", Context->ContextAttributes, TempStatus));
|
|
|
|
if (!NT_SUCCESS(TempStatus))
|
|
{
|
|
Status = TempStatus;
|
|
}
|
|
|
|
//
|
|
// Update the skew time with a success
|
|
//
|
|
|
|
KerbUpdateSkewTime(FALSE);
|
|
}
|
|
|
|
if (NULL != CredManCredentials)
|
|
{
|
|
KerbDereferenceCredmanCred(
|
|
CredManCredentials,
|
|
&LogonSession->CredmanCredentials
|
|
);
|
|
}
|
|
|
|
if( pbMarshalledTargetInfo )
|
|
{
|
|
LocalFree( pbMarshalledTargetInfo );
|
|
}
|
|
|
|
if (TgtReply != NULL)
|
|
{
|
|
KerbFreeData(KERB_TGT_REPLY_PDU, TgtReply);
|
|
}
|
|
|
|
if (LogonSession != NULL)
|
|
{
|
|
KerbDereferenceLogonSession( LogonSession );
|
|
}
|
|
|
|
if (Credential != NULL)
|
|
{
|
|
KerbDereferenceCredential( Credential );
|
|
}
|
|
|
|
if (TicketCacheEntry != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry( TicketCacheEntry );
|
|
}
|
|
|
|
if ( SpnCacheEntry != NULL )
|
|
{
|
|
KerbDereferenceSpnCacheEntry( SpnCacheEntry );
|
|
}
|
|
|
|
KerbFreeKerbError( ErrorMessage );
|
|
if (NULL != pExtendedError)
|
|
{
|
|
KerbFree(pExtendedError);
|
|
}
|
|
|
|
if (ErrorData != NULL)
|
|
{
|
|
MIDL_user_free(ErrorData);
|
|
}
|
|
if (Request != NULL)
|
|
{
|
|
KerbFree(Request);
|
|
}
|
|
if (Reply != NULL)
|
|
{
|
|
KerbFree(Reply);
|
|
}
|
|
|
|
KerbFreeKey(&SubSessionKey);
|
|
|
|
KerbFreeString( &TargetDomainName );
|
|
KerbFreeKdcName( &TargetInternalName );
|
|
|
|
D_DebugLog((DEB_TRACE_LEAKS, "SpInitLsaModeContext returned 0x%x, Context 0x%x, Pid 0x%x\n",KerbMapKerbNtStatusToNtStatus(Status), *NewContextHandle, ClientProcess));
|
|
D_DebugLog((DEB_TRACE_API, "SpInitLsaModeContext returned 0x%x\n", KerbMapKerbNtStatusToNtStatus(Status)));
|
|
|
|
return(KerbMapKerbNtStatusToNtStatus(Status));
|
|
}
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpApplyControlToken(
|
|
IN LSA_SEC_HANDLE ContextHandle,
|
|
IN PSecBufferDesc ControlToken
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_NOT_SUPPORTED;
|
|
D_DebugLog((DEB_TRACE_API,"SpApplyControlToken Called\n"));
|
|
D_DebugLog((DEB_TRACE_API,"SpApplyControlToken returned 0x%x\n", KerbMapKerbNtStatusToNtStatus(Status)));
|
|
return(KerbMapKerbNtStatusToNtStatus(Status));
|
|
}
|
|
|
|
|
|
#ifndef WIN32_CHICAGO //we don't do server side stuff
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpAcceptLsaModeContext
|
|
//
|
|
// Synopsis: Kerberos support routine for AcceptSecurityContext call.
|
|
// This routine accepts an AP request message from a client
|
|
// and verifies that it is a valid ticket. If mutual
|
|
// authentication is desired an AP reply is generated to
|
|
// send back to the client.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS NTAPI
|
|
SpAcceptLsaModeContext(
|
|
IN OPTIONAL LSA_SEC_HANDLE CredentialHandle,
|
|
IN OPTIONAL LSA_SEC_HANDLE ContextHandle,
|
|
IN PSecBufferDesc InputBuffers,
|
|
IN ULONG ContextRequirements,
|
|
IN ULONG TargetDataRep,
|
|
OUT PLSA_SEC_HANDLE NewContextHandle,
|
|
OUT PSecBufferDesc OutputBuffers,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PTimeStamp ExpirationTime,
|
|
OUT PBOOLEAN MappedContext,
|
|
OUT PSecBuffer ContextData
|
|
)
|
|
{
|
|
PKERB_LOGON_SESSION LogonSession = NULL;
|
|
PKERB_CREDENTIAL Credential = NULL;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
NTSTATUS LastStatus = STATUS_SUCCESS;
|
|
PKERB_AP_REQUEST Request = NULL;
|
|
PUCHAR Reply = NULL;
|
|
PSecBuffer InputToken = NULL;
|
|
PSecBuffer OutputToken = NULL;
|
|
ULONG Index;
|
|
ULONG ReplySize;
|
|
LUID LogonId;
|
|
PKERB_ENCRYPTED_TICKET InternalTicket = NULL;
|
|
PKERB_AUTHENTICATOR InternalAuthenticator = NULL;
|
|
KERB_ENCRYPTION_KEY SessionKey;
|
|
KERB_ENCRYPTION_KEY TicketKey;
|
|
KERB_ENCRYPTION_KEY ServerKey;
|
|
PKERB_CONTEXT Context = NULL;
|
|
TimeStamp ContextLifetime;
|
|
HANDLE TokenHandle = 0;
|
|
ULONG ContextFlags = 0;
|
|
ULONG ContextAttribs = KERB_CONTEXT_INBOUND;
|
|
ULONG NegotiationInfo = SECPKG_NEGOTIATION_COMPLETE;
|
|
ULONG Nonce = 0;
|
|
ULONG ReceiveNonce = 0;
|
|
BOOLEAN UseSuppliedCreds = FALSE;
|
|
ULONG_PTR LocalCredentialHandle = 0;
|
|
PSID UserSid = NULL;
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
KERB_CONTEXT_STATE ContextState = InvalidState;
|
|
UNICODE_STRING ServiceDomain = {0};
|
|
UNICODE_STRING ClientName = {0};
|
|
UNICODE_STRING ClientDomain = {0};
|
|
UNICODE_STRING ClientNetbiosDomain = {0};
|
|
UNICODE_STRING WorkstationName = {0};
|
|
BOOLEAN IsTgtRequest = FALSE;
|
|
ULONG ClientProcess = 0;
|
|
PSEC_CHANNEL_BINDINGS pChannelBindings = NULL;
|
|
PS4U_DELEGATION_INFO S4UDelegationInfo = NULL;
|
|
PLSA_ADT_STRING_LIST TransittedServices = NULL;
|
|
|
|
KERB_ACCEPTSC_INFO AcceptSCTraceInfo;
|
|
|
|
D_DebugLog((DEB_TRACE_API, "SpAcceptLsaModeContext 0x%x called\n", ContextHandle));
|
|
|
|
if ( KerbEventTraceFlag ) // Event Trace: KerbAcceptSecurityContextStart {No Data}
|
|
{
|
|
AcceptSCTraceInfo.EventTrace.Guid = KerbAcceptSCGuid;
|
|
AcceptSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_START;
|
|
AcceptSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID;
|
|
AcceptSCTraceInfo.EventTrace.Size = sizeof (EVENT_TRACE_HEADER);
|
|
|
|
TraceEvent(
|
|
KerbTraceLoggerHandle,
|
|
(PEVENT_TRACE_HEADER)&AcceptSCTraceInfo
|
|
);
|
|
}
|
|
|
|
//
|
|
// Initialize the outputs.
|
|
//
|
|
|
|
*ContextAttributes = 0;
|
|
*NewContextHandle = 0;
|
|
*ExpirationTime = KerbGlobalHasNeverTime;
|
|
*MappedContext = FALSE;
|
|
ContextData->pvBuffer = NULL;
|
|
ContextData->cbBuffer = 0;
|
|
|
|
RtlZeroMemory(
|
|
&SessionKey,
|
|
sizeof(KERB_ENCRYPTION_KEY)
|
|
);
|
|
TicketKey = SessionKey;
|
|
ServerKey = TicketKey;
|
|
|
|
if (!KerbGlobalInitialized)
|
|
{
|
|
Status = STATUS_INVALID_SERVER_STATE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// First locate the Input token.
|
|
//
|
|
|
|
for (Index = 0; Index < InputBuffers->cBuffers ; Index++ )
|
|
{
|
|
if (BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN)
|
|
{
|
|
InputToken = &InputBuffers->pBuffers[Index];
|
|
Status = LsaFunctions->MapBuffer(InputToken,InputToken);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to map Input token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check to see if we were passed channel bindings
|
|
//
|
|
|
|
for ( Index = 0; Index < InputBuffers->cBuffers; Index++ )
|
|
{
|
|
if( BUFFERTYPE(InputBuffers->pBuffers[Index]) == SECBUFFER_CHANNEL_BINDINGS )
|
|
{
|
|
Status = LsaFunctions->MapBuffer(
|
|
&InputBuffers->pBuffers[Index],
|
|
&InputBuffers->pBuffers[Index]
|
|
);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
pChannelBindings = (PSEC_CHANNEL_BINDINGS) InputBuffers->pBuffers[Index].pvBuffer;
|
|
|
|
Status = KerbValidateChannelBindings(pChannelBindings,
|
|
InputBuffers->pBuffers[Index].cbBuffer);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
pChannelBindings = NULL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Locate the output token
|
|
//
|
|
|
|
for (Index = 0; Index < OutputBuffers->cBuffers ; Index++ )
|
|
{
|
|
if (BUFFERTYPE(OutputBuffers->pBuffers[Index]) == SECBUFFER_TOKEN)
|
|
{
|
|
OutputToken = &OutputBuffers->pBuffers[Index];
|
|
Status = LsaFunctions->MapBuffer(OutputToken,OutputToken);
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to map output token: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If the context handle is no NULL we are finalizing a context
|
|
//
|
|
|
|
if (ContextHandle != 0)
|
|
{
|
|
if (InputToken == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Trying to complete a context with no input token! %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// First reference the context.
|
|
//
|
|
|
|
Status = KerbReferenceContext(
|
|
ContextHandle,
|
|
FALSE, // don't unlink
|
|
&Context
|
|
);
|
|
if (Context == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to reference context 0x%x. %ws, line %d\n",ContextHandle, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check the mode of the context to make sure we can finalize it.
|
|
//
|
|
|
|
KerbReadLockContexts();
|
|
|
|
ContextState = Context->ContextState;
|
|
if (((ContextState != ApReplySentState) &&
|
|
(ContextState != TgtReplySentState) &&
|
|
(ContextState != ErrorMessageSentState)) ||
|
|
((Context->ContextAttributes & KERB_CONTEXT_INBOUND) == 0))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Invalid context state: %d. %ws, line %d\n",
|
|
Context->ContextState, THIS_FILE, __LINE__));
|
|
Status = STATUS_INVALID_HANDLE;
|
|
KerbUnlockContexts();
|
|
goto Cleanup;
|
|
}
|
|
|
|
if ((Context->ContextAttributes & KERB_CONTEXT_USED_SUPPLIED_CREDS) != 0)
|
|
{
|
|
UseSuppliedCreds = TRUE;
|
|
}
|
|
|
|
ContextFlags = Context->ContextFlags;
|
|
LogonId = Context->LogonId;
|
|
LocalCredentialHandle = Context->CredentialHandle;
|
|
ClientProcess = Context->ClientProcess;
|
|
KerbUnlockContexts();
|
|
}
|
|
|
|
if (CredentialHandle != 0)
|
|
{
|
|
if ((LocalCredentialHandle != 0) && (CredentialHandle != LocalCredentialHandle))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Different cred handle passsed to subsequent call to AcceptSecurityContext: 0x%x instead of 0x%x. %ws, line %d\n",
|
|
CredentialHandle, LocalCredentialHandle, THIS_FILE, __LINE__ ));
|
|
Status = STATUS_WRONG_CREDENTIAL_HANDLE;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
CredentialHandle = LocalCredentialHandle;
|
|
}
|
|
//
|
|
// If we are finalizing a context, do that here
|
|
//
|
|
|
|
if (ContextState == ApReplySentState)
|
|
{
|
|
//
|
|
// If we are doing datgram, then the finalize is actually an AP request
|
|
//
|
|
|
|
if ((ContextFlags & ISC_RET_DATAGRAM) != 0)
|
|
{
|
|
//
|
|
// Get the logon session
|
|
//
|
|
|
|
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE );
|
|
if (LogonSession == NULL)
|
|
{
|
|
Status = STATUS_NO_SUCH_LOGON_SESSION;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If we are using supplied creds, get the credentials. Copy
|
|
// out the domain name so we can use it to verify the PAC.
|
|
//
|
|
|
|
Status = KerbReferenceCredential(
|
|
LocalCredentialHandle,
|
|
KERB_CRED_INBOUND,
|
|
FALSE, // don't dereference
|
|
&Credential
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (UseSuppliedCreds)
|
|
{
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
Status = KerbDuplicateString(
|
|
&ServiceDomain,
|
|
&Credential->SuppliedCredentials->DomainName
|
|
);
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
}
|
|
else
|
|
{
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
Status = KerbDuplicateString(
|
|
&ServiceDomain,
|
|
&LogonSession->PrimaryCredentials.DomainName
|
|
);
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
}
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Verify the AP request
|
|
//
|
|
|
|
Status = KerbVerifyApRequest(
|
|
Context,
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
LogonSession,
|
|
Credential,
|
|
UseSuppliedCreds,
|
|
((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) == 0),
|
|
&Request,
|
|
&InternalTicket,
|
|
&InternalAuthenticator,
|
|
&SessionKey,
|
|
&TicketKey,
|
|
&ServerKey,
|
|
&ContextFlags,
|
|
&ContextAttribs,
|
|
&KerbErr,
|
|
pChannelBindings
|
|
);
|
|
|
|
//
|
|
// We don't allow user-to-user recovery with datagram
|
|
//
|
|
|
|
if ((Status == STATUS_REPARSE_OBJECT) // this is a TGT request
|
|
|| ((Status == SEC_E_NO_CREDENTIALS) && (KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED)))
|
|
{
|
|
DebugLog((DEB_ERROR, "Won't allow user2user with Datagram. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
KerbErr = KRB_AP_ERR_MSG_TYPE;
|
|
goto ErrorReturn;
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR, "Failed to verify AP request: 0x%x. %ws, line %d\n", Status, THIS_FILE, __LINE__));
|
|
|
|
//
|
|
// Let the skew tracker know about the failure
|
|
//
|
|
|
|
if (KerbErr == KRB_AP_ERR_SKEW)
|
|
{
|
|
KerbUpdateSkewTime(TRUE);
|
|
}
|
|
|
|
//
|
|
// Go to ErrorReturn so we can return an error message
|
|
//
|
|
|
|
goto ErrorReturn;
|
|
}
|
|
|
|
//
|
|
// Turn on the flag if it was called for
|
|
//
|
|
|
|
if ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) != 0)
|
|
{
|
|
ContextFlags |= ASC_RET_ALLOW_CONTEXT_REPLAY;
|
|
}
|
|
|
|
//
|
|
// Record the success
|
|
//
|
|
|
|
KerbUpdateSkewTime(FALSE);
|
|
|
|
//
|
|
// Check if the caller wants to allow null sessions
|
|
//
|
|
|
|
if (((ContextFlags & ISC_RET_NULL_SESSION) != 0) &&
|
|
((ContextRequirements & ASC_REQ_ALLOW_NULL_SESSION) == 0))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Received null session but not allowed. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Save away the ReceiveNonce if it was provided
|
|
//
|
|
|
|
if ((InternalAuthenticator!= NULL) &&
|
|
((InternalAuthenticator->bit_mask & KERB_AUTHENTICATOR_sequence_number_present) != 0))
|
|
{
|
|
|
|
//
|
|
// If the number is unsigned, convert it as unsigned. Otherwise
|
|
// convert as signed.
|
|
//
|
|
|
|
if (ASN1intxisuint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number))
|
|
{
|
|
ReceiveNonce = ASN1intx2uint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number);
|
|
}
|
|
else
|
|
{
|
|
ReceiveNonce = (ULONG) ASN1intx2int32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
ReceiveNonce = 0;
|
|
}
|
|
|
|
//
|
|
// Authentication succeeded, so build a token
|
|
//
|
|
|
|
#ifdef DBG
|
|
InterlockedIncrement(&Token); // make sure we audit all token creation.
|
|
#endif
|
|
|
|
Status = KerbCreateTokenFromTicket(
|
|
&LogonId,
|
|
Request,
|
|
InternalTicket,
|
|
InternalAuthenticator,
|
|
ContextFlags,
|
|
&ServerKey,
|
|
&ServiceDomain,
|
|
&SessionKey,
|
|
&LogonId,
|
|
&UserSid,
|
|
&TokenHandle,
|
|
&ClientName,
|
|
&ClientDomain,
|
|
&ClientNetbiosDomain,
|
|
&S4UDelegationInfo
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to create token from ticket: 0x%x. %ws, line %d\n",
|
|
Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
Status = KerbUpdateServerContext(
|
|
Context,
|
|
InternalTicket,
|
|
Request,
|
|
&SessionKey,
|
|
&LogonId,
|
|
&UserSid,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
NegotiationInfo,
|
|
Nonce,
|
|
ReceiveNonce,
|
|
&TokenHandle,
|
|
&ClientName,
|
|
&ClientDomain,
|
|
&ClientNetbiosDomain,
|
|
&ContextLifetime
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to create server context: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Now unpack the AP reply
|
|
//
|
|
Status = KerbVerifyApReply(
|
|
Context,
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
&Nonce
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to verify AP reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// We're done - we finalized.
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
if (OutputToken != NULL)
|
|
{
|
|
OutputToken->cbBuffer = 0;
|
|
}
|
|
}
|
|
|
|
KerbReadLockContexts();
|
|
*ContextAttributes = KerbMapContextFlags(Context->ContextFlags);
|
|
|
|
KerbUtcTimeToLocalTime(
|
|
ExpirationTime,
|
|
&Context->Lifetime
|
|
);
|
|
|
|
if (OutputToken != NULL)
|
|
{
|
|
OutputToken->cbBuffer = 0;
|
|
}
|
|
|
|
*NewContextHandle = ContextHandle;
|
|
KerbUnlockContexts();
|
|
|
|
goto Cleanup; // datagram and finalized contexts exit here.
|
|
}
|
|
|
|
//
|
|
// Get the associated credential
|
|
//
|
|
|
|
Status = KerbReferenceCredential(
|
|
CredentialHandle,
|
|
KERB_CRED_INBOUND,
|
|
FALSE,
|
|
&Credential
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_WARN,"Failed to locate credential 0x%x\n",Status));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Get the logon id from the credentials so we can locate the
|
|
// logon session.
|
|
//
|
|
|
|
LogonId = Credential->LogonId;
|
|
|
|
//
|
|
// Get the logon session
|
|
//
|
|
|
|
LogonSession = KerbReferenceLogonSession( &LogonId, FALSE );
|
|
if (LogonSession == NULL)
|
|
{
|
|
Status = STATUS_NO_SUCH_LOGON_SESSION;
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
if ((Credential->CredentialFlags & KERB_CRED_LOCAL_ACCOUNT) != 0)
|
|
{
|
|
D_DebugLog((DEB_WARN, "Trying to use a local logon session with Kerberos\n"));
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (Credential->SuppliedCredentials != NULL)
|
|
{
|
|
UseSuppliedCreds = TRUE;
|
|
ContextAttribs |= KERB_CONTEXT_USED_SUPPLIED_CREDS;
|
|
Status = KerbDuplicateString(
|
|
&ServiceDomain,
|
|
&Credential->SuppliedCredentials->DomainName
|
|
);
|
|
|
|
}
|
|
else
|
|
{
|
|
Status = KerbDuplicateString(
|
|
&ServiceDomain,
|
|
&LogonSession->PrimaryCredentials.DomainName
|
|
);
|
|
}
|
|
|
|
#if DBG
|
|
D_DebugLog((DEB_TRACE_CTXT, "SpAcceptLsaModeContext: Accepting context for %wZ\\%wZ\n",
|
|
&LogonSession->PrimaryCredentials.DomainName,
|
|
&LogonSession->PrimaryCredentials.UserName ));
|
|
#endif
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If datagram was requested, note it now. There is no input
|
|
// buffer on the first call using datagram.
|
|
//
|
|
|
|
if ((ContextRequirements & ASC_REQ_DATAGRAM) != 0)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT2, "Accepting datagram first call\n"));
|
|
|
|
//
|
|
// Verify that there is no input token or it is small. RPC passes
|
|
// in two bytes for the DEC package that we can ignore.
|
|
//
|
|
|
|
if ((InputToken != NULL) &&
|
|
(InputToken->cbBuffer > 4))
|
|
{
|
|
D_DebugLog((DEB_WARN, "Non null input token passed to AcceptSecurityContext for datagram\n"));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ContextFlags |= ISC_RET_DATAGRAM;
|
|
ReceiveNonce = 0;
|
|
|
|
//
|
|
// Build a server context
|
|
//
|
|
|
|
Status = KerbCreateEmptyContext(
|
|
Credential,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
NegotiationInfo,
|
|
&LogonId,
|
|
&Context,
|
|
&ContextLifetime
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to create server context: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (OutputToken != NULL)
|
|
{
|
|
OutputToken->cbBuffer = 0;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT2, "Accepting connection first call\n"));
|
|
|
|
//
|
|
// Unmarshall the AP request
|
|
//
|
|
|
|
if ((InputToken == NULL) ||
|
|
(InputToken->cbBuffer == 0))
|
|
{
|
|
D_DebugLog((DEB_WARN, "Null input token passed to AcceptSecurityContext for datagram\n"));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Verify the AP request
|
|
//
|
|
|
|
Status = KerbVerifyApRequest(
|
|
Context,
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
LogonSession,
|
|
Credential,
|
|
UseSuppliedCreds,
|
|
((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) == 0),
|
|
&Request,
|
|
&InternalTicket,
|
|
&InternalAuthenticator,
|
|
&SessionKey,
|
|
&TicketKey,
|
|
&ServerKey,
|
|
&ContextFlags,
|
|
&ContextAttribs,
|
|
&KerbErr,
|
|
pChannelBindings
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Track time skew errors
|
|
//
|
|
|
|
if ((KerbErr == KRB_AP_ERR_SKEW) ||
|
|
(KerbErr == KRB_AP_ERR_TKT_NYV))
|
|
{
|
|
KerbUpdateSkewTime(TRUE);
|
|
}
|
|
|
|
DebugLog((DEB_WARN, "Failed to verify AP request (need u2u? %s): %#x. %ws, line %d\n",
|
|
KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED ? "true" : "false",
|
|
Status, THIS_FILE, __LINE__));
|
|
|
|
goto ErrorReturn;
|
|
}
|
|
|
|
ContextFlags |= ISC_RET_CONNECTION;
|
|
|
|
//
|
|
// Check if this was a user-to-user tgt request. If so, then
|
|
// there was no AP request
|
|
//
|
|
|
|
if (Status == STATUS_REPARSE_OBJECT)
|
|
{
|
|
IsTgtRequest = TRUE;
|
|
|
|
Status = KerbHandleTgtRequest(
|
|
LogonSession,
|
|
Credential,
|
|
UseSuppliedCreds,
|
|
(PUCHAR) InputToken->pvBuffer,
|
|
InputToken->cbBuffer,
|
|
ContextRequirements,
|
|
OutputToken,
|
|
&LogonId,
|
|
ContextAttributes,
|
|
&Context,
|
|
&ContextLifetime,
|
|
&KerbErr
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto ErrorReturn;
|
|
}
|
|
|
|
ContextFlags |= ISC_RET_USE_SESSION_KEY;
|
|
|
|
D_DebugLog((DEB_TRACE_U2U, "SpAcceptLsaModeContext handled TGT request and use_session_key set, ContextAttributes %#x\n", Context->ContextAttributes));
|
|
}
|
|
else // not a user-to-user request
|
|
{
|
|
//
|
|
// Track successful time if this wasn't an error recovery
|
|
//
|
|
|
|
if (ContextState != ErrorMessageSentState)
|
|
{
|
|
KerbUpdateSkewTime(FALSE);
|
|
}
|
|
if ((InternalAuthenticator != NULL) &&
|
|
(InternalAuthenticator->bit_mask & KERB_AUTHENTICATOR_sequence_number_present))
|
|
{
|
|
//
|
|
// If the number is unsigned, convert it as unsigned. Otherwise
|
|
// convert as signed.
|
|
//
|
|
|
|
if (ASN1intxisuint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number))
|
|
{
|
|
ReceiveNonce = ASN1intx2uint32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number);
|
|
}
|
|
else
|
|
{
|
|
ReceiveNonce = (ULONG) ASN1intx2int32(&InternalAuthenticator->KERB_AUTHENTICATOR_sequence_number);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
ReceiveNonce = 0;
|
|
}
|
|
|
|
//
|
|
// Initialize the opposite direction nonce to the same value
|
|
//
|
|
|
|
Nonce = ReceiveNonce;
|
|
|
|
//
|
|
// Turn on the flag if it was called for
|
|
//
|
|
|
|
if ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) != 0)
|
|
{
|
|
ContextFlags |= ASC_RET_ALLOW_CONTEXT_REPLAY;
|
|
}
|
|
|
|
//
|
|
// Check if the caller wants to allow null sessions
|
|
//
|
|
|
|
if (((ContextFlags & ISC_RET_NULL_SESSION) != 0) &&
|
|
((ContextRequirements & ASC_REQ_ALLOW_NULL_SESSION) == 0))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Received null session but not allowed. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Authentication succeeded, so build a token
|
|
//
|
|
D_DebugLog((DEB_TRACE_CTXT2, "AcceptLsaModeContext: Creating token from ticket\n"));
|
|
#ifdef DBG
|
|
InterlockedIncrement(&Token); // make sure we audit all token creation
|
|
#endif
|
|
|
|
Status = KerbCreateTokenFromTicket(
|
|
&LogonId,
|
|
Request,
|
|
InternalTicket,
|
|
InternalAuthenticator,
|
|
ContextFlags,
|
|
&ServerKey,
|
|
&ServiceDomain,
|
|
&SessionKey,
|
|
&LogonId,
|
|
&UserSid,
|
|
&TokenHandle,
|
|
&ClientName,
|
|
&ClientDomain,
|
|
&ClientNetbiosDomain,
|
|
&S4UDelegationInfo
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to create token from ticket: 0x%x. %ws, line %d\n",
|
|
Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If the caller wants mutual authentication, build an AP reply
|
|
//
|
|
|
|
if (((ContextFlags & ISC_RET_MUTUAL_AUTH) != 0) ||
|
|
((ContextFlags & ISC_RET_USED_DCE_STYLE) != 0))
|
|
{
|
|
//
|
|
// We require an output token in this case.
|
|
//
|
|
|
|
if (OutputToken == NULL)
|
|
{
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
DebugLog((DEB_ERROR,"SpAcceptLsaModeContext encountered null output token\n"));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Build the reply message
|
|
//
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT2,"SpAcceptLsaModeContext: Building AP reply\n"));
|
|
Status = KerbBuildApReply(
|
|
InternalAuthenticator,
|
|
Request,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
&TicketKey,
|
|
&SessionKey,
|
|
&Nonce,
|
|
&Reply,
|
|
&ReplySize
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to build AP reply: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (OutputToken == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Output token missing. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Return the AP reply in the output buffer.
|
|
//
|
|
|
|
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0)
|
|
{
|
|
if (OutputToken->cbBuffer < ReplySize)
|
|
{
|
|
ULONG ErrorData[3];
|
|
|
|
ErrorData[0] = ReplySize;
|
|
ErrorData[1] = OutputToken->cbBuffer;
|
|
ErrorData[2] = ClientProcess;
|
|
|
|
|
|
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n",
|
|
OutputToken->cbBuffer,ReplySize, THIS_FILE, __LINE__ ));
|
|
OutputToken->cbBuffer = ReplySize;
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
|
|
KerbReportNtstatus(
|
|
KERBEVT_INSUFFICIENT_TOKEN_SIZE,
|
|
Status,
|
|
NULL,
|
|
0,
|
|
ErrorData,
|
|
3
|
|
);
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
OutputToken->pvBuffer,
|
|
Reply,
|
|
ReplySize
|
|
);
|
|
}
|
|
else
|
|
{
|
|
OutputToken->pvBuffer = Reply;
|
|
Reply = NULL;
|
|
*ContextAttributes |= ASC_RET_ALLOCATED_MEMORY;
|
|
}
|
|
|
|
OutputToken->cbBuffer = ReplySize;
|
|
}
|
|
else
|
|
{
|
|
if (OutputToken != NULL)
|
|
{
|
|
OutputToken->cbBuffer = 0;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Build a server context if we don't already have one.
|
|
//
|
|
|
|
//
|
|
// Turn on the flag if it was called for
|
|
//
|
|
|
|
if ((ContextRequirements & ASC_REQ_ALLOW_CONTEXT_REPLAY) != 0)
|
|
{
|
|
ContextFlags |= ASC_RET_ALLOW_CONTEXT_REPLAY;
|
|
}
|
|
|
|
if (Context == NULL)
|
|
{
|
|
Status = KerbCreateServerContext(
|
|
LogonSession,
|
|
Credential,
|
|
InternalTicket,
|
|
Request,
|
|
&SessionKey,
|
|
&LogonId,
|
|
&UserSid,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
NegotiationInfo,
|
|
Nonce,
|
|
ReceiveNonce,
|
|
&TokenHandle,
|
|
&ClientName,
|
|
&ClientDomain,
|
|
&ClientNetbiosDomain,
|
|
&Context,
|
|
&ContextLifetime
|
|
);
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Update an existing context
|
|
//
|
|
|
|
Status = KerbUpdateServerContext(
|
|
Context,
|
|
InternalTicket,
|
|
Request,
|
|
&SessionKey,
|
|
&LogonId,
|
|
&UserSid,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
NegotiationInfo,
|
|
Nonce,
|
|
ReceiveNonce,
|
|
&TokenHandle,
|
|
&ClientName,
|
|
&ClientDomain,
|
|
&ClientNetbiosDomain,
|
|
&ContextLifetime
|
|
);
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to create or update server context: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
} // not a TGT request
|
|
} // not datagram
|
|
*NewContextHandle = KerbGetContextHandle(Context);
|
|
KerbUtcTimeToLocalTime(
|
|
ExpirationTime,
|
|
&ContextLifetime
|
|
);
|
|
|
|
#if DBG
|
|
KerbReadLockContexts();
|
|
ClientProcess = Context->ClientProcess;
|
|
KerbUnlockContexts();
|
|
#endif // DBG
|
|
|
|
*ContextAttributes |= KerbMapContextFlags(ContextFlags);
|
|
|
|
if (IsTgtRequest || (((ContextFlags & ISC_RET_USED_DCE_STYLE) != 0) ||
|
|
((ContextFlags & ISC_RET_DATAGRAM) != 0)))
|
|
{
|
|
Status = SEC_I_CONTINUE_NEEDED;
|
|
}
|
|
|
|
goto Cleanup;
|
|
|
|
ErrorReturn:
|
|
|
|
//
|
|
// Generate a KERB_ERROR message if necessary, meaning that there was
|
|
// an authentication failure.
|
|
//
|
|
|
|
if ((OutputToken != NULL ) &&
|
|
(!KERB_SUCCESS(KerbErr) ||
|
|
((ContextRequirements & ASC_REQ_EXTENDED_ERROR) != 0) ||
|
|
((ContextFlags & ISC_RET_EXTENDED_ERROR) != 0)))
|
|
{
|
|
NTSTATUS TempStatus;
|
|
PBYTE ErrorMessage = NULL;
|
|
ULONG ErrorMessageSize;
|
|
PBYTE ErrorData = NULL;
|
|
ULONG ErrorDataSize = 0;
|
|
|
|
|
|
//
|
|
// Check whether it is an error we want the client to retry on.
|
|
// For datagram, we can't handle this.
|
|
//
|
|
|
|
if (ContextRequirements & ASC_REQ_DATAGRAM)
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
if (!(((ContextRequirements & ASC_REQ_EXTENDED_ERROR) != 0) ||
|
|
(KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED) ||
|
|
(KerbErr == KRB_AP_ERR_SKEW) ||
|
|
(KerbErr == KRB_AP_ERR_TKT_NYV) ||
|
|
(KerbErr == KRB_AP_ERR_TKT_EXPIRED) ||
|
|
(KerbErr == KRB_AP_ERR_MODIFIED) ))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Create an empty context that can be used later
|
|
//
|
|
|
|
if (Context == NULL)
|
|
{
|
|
TempStatus = KerbCreateEmptyContext(
|
|
Credential,
|
|
ContextFlags,
|
|
ContextAttribs,
|
|
NegotiationInfo,
|
|
&LogonId,
|
|
&Context,
|
|
&ContextLifetime
|
|
);
|
|
if (!NT_SUCCESS(TempStatus))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// if the error code is one with error data, build the error data
|
|
//
|
|
|
|
switch ((UINT_PTR) KerbErr)
|
|
{
|
|
case (UINT_PTR) KRB_AP_ERR_USER_TO_USER_REQUIRED:
|
|
NTSTATUS TempStatus;
|
|
|
|
//
|
|
// KerbBuildTgtErrorReply shall fail if neither TGTs nor longer secrets are available
|
|
//
|
|
|
|
TempStatus = KerbBuildTgtErrorReply(
|
|
LogonSession,
|
|
Credential,
|
|
UseSuppliedCreds,
|
|
Context,
|
|
&ErrorDataSize,
|
|
&ErrorData
|
|
);
|
|
|
|
D_DebugLog((DEB_TRACE_U2U, "SpAcceptLsaModeContext called KerbBuildTgtErrorReply %#x\n", TempStatus));
|
|
|
|
if (TempStatus == STATUS_USER2USER_REQUIRED)
|
|
{
|
|
KerbErr = KRB_AP_ERR_NO_TGT;
|
|
}
|
|
else if (!NT_SUCCESS(TempStatus))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "Failed to build tgt error reply: 0x%x. Ignoring. %ws, line %d\n", TempStatus, THIS_FILE, __LINE__));
|
|
}
|
|
|
|
break;
|
|
case (UINT_PTR) KDC_ERR_NONE:
|
|
//
|
|
// In this case, return the KRB_ERR_GENERIC and the NTSTATUS code
|
|
// in the error data
|
|
//
|
|
KerbErr = KRB_ERR_GENERIC;
|
|
ErrorData = (PUCHAR) &Status;
|
|
ErrorDataSize = sizeof(ULONG);
|
|
break;
|
|
}
|
|
|
|
TempStatus = KerbBuildGssErrorMessage(
|
|
KerbErr,
|
|
ErrorData,
|
|
ErrorDataSize,
|
|
Context,
|
|
&ErrorMessageSize,
|
|
&ErrorMessage
|
|
);
|
|
|
|
if ((ErrorData != NULL) && (ErrorData != (PUCHAR) &Status))
|
|
{
|
|
MIDL_user_free(ErrorData);
|
|
}
|
|
|
|
if (!NT_SUCCESS(TempStatus))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if ((ContextRequirements & ISC_REQ_ALLOCATE_MEMORY) == 0)
|
|
{
|
|
if (OutputToken->cbBuffer < ErrorMessageSize)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n",
|
|
OutputToken->cbBuffer,ErrorMessageSize, THIS_FILE, __LINE__ ));
|
|
MIDL_user_free(ErrorMessage);
|
|
goto Cleanup;
|
|
}
|
|
else
|
|
{
|
|
DsysAssert(OutputToken->pvBuffer != NULL);
|
|
RtlCopyMemory(
|
|
OutputToken->pvBuffer,
|
|
ErrorMessage,
|
|
ErrorMessageSize
|
|
);
|
|
OutputToken->cbBuffer = ErrorMessageSize;
|
|
MIDL_user_free(ErrorMessage);
|
|
}
|
|
}
|
|
else
|
|
{
|
|
DsysAssert(OutputToken->pvBuffer == NULL);
|
|
OutputToken->cbBuffer = ErrorMessageSize;
|
|
OutputToken->pvBuffer = ErrorMessage;
|
|
ErrorMessage = NULL;
|
|
*ContextAttributes |= ASC_RET_ALLOCATED_MEMORY;
|
|
}
|
|
*ContextAttributes |= ASC_RET_EXTENDED_ERROR;
|
|
|
|
*NewContextHandle = KerbGetContextHandle(Context);
|
|
KerbUtcTimeToLocalTime(
|
|
ExpirationTime,
|
|
&ContextLifetime
|
|
);
|
|
*ContextAttributes |= KerbMapContextFlags(ContextFlags);
|
|
|
|
LastStatus = Status;
|
|
|
|
//
|
|
// now it is time to mark the context as user2user
|
|
//
|
|
|
|
if (KerbErr == KRB_AP_ERR_USER_TO_USER_REQUIRED)
|
|
{
|
|
DebugLog((DEB_TRACE_U2U, "SpInitLsaModeContext (TGT in error reply) USER2USER-INBOUND set\n"));
|
|
|
|
KerbWriteLockContexts()
|
|
Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
|
|
KerbUnlockContexts();
|
|
}
|
|
|
|
Status = SEC_I_CONTINUE_NEEDED;
|
|
}
|
|
|
|
Cleanup:
|
|
if( KerbEventTraceFlag ) // Event Trace: KerbAcceptSecurityContextEnd {Status, CredSource, DomainName, UserName, Target, (ExtError), (klininfo)}
|
|
{
|
|
|
|
PCWSTR TraceStrings[] =
|
|
{
|
|
L"CredMan",
|
|
L"Supplied",
|
|
L"Context",
|
|
L"LogonSession",
|
|
L"None"
|
|
};
|
|
enum { TSTR_CREDMAN = 0, TSTR_SUPPLIED, TSTR_CONTEXT, TSTR_LOGONSESSION, TSTR_NONE };
|
|
UNICODE_STRING UNICODE_NONE = { 4*sizeof(WCHAR), 4*sizeof(WCHAR), L"NONE" };
|
|
|
|
UNICODE_STRING CredSource;
|
|
PUNICODE_STRING trace_DomainName, trace_UserName, trace_target;
|
|
|
|
trace_target = (Context!=NULL) ? &Context->ServerPrincipalName : &UNICODE_NONE;
|
|
|
|
if( Context != NULL && Context->CredManCredentials != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CREDMAN] );
|
|
trace_DomainName = &Context->CredManCredentials->SuppliedCredentials->DomainName;
|
|
trace_UserName = &Context->CredManCredentials->SuppliedCredentials->UserName;
|
|
}
|
|
else if( Credential != NULL && Credential->SuppliedCredentials != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_SUPPLIED] );
|
|
trace_DomainName = &Credential->SuppliedCredentials->DomainName;
|
|
trace_UserName = &Credential->SuppliedCredentials->UserName;
|
|
}
|
|
else if( Context != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_CONTEXT] );
|
|
trace_DomainName = &Context->ClientRealm;
|
|
trace_UserName = &Context->ClientName;
|
|
}
|
|
else if( LogonSession != NULL )
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_LOGONSESSION] );
|
|
trace_DomainName = &LogonSession->PrimaryCredentials.DomainName;
|
|
trace_UserName = &LogonSession->PrimaryCredentials.UserName;
|
|
}
|
|
else
|
|
{
|
|
RtlInitUnicodeString( &CredSource, TraceStrings[TSTR_NONE] );
|
|
trace_DomainName = &UNICODE_NONE;
|
|
trace_UserName = &UNICODE_NONE;
|
|
}
|
|
|
|
INSERT_ULONG_INTO_MOF( Status, AcceptSCTraceInfo.MofData, 0 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( CredSource, AcceptSCTraceInfo.MofData, 1 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( *trace_DomainName, AcceptSCTraceInfo.MofData, 3 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( *trace_UserName, AcceptSCTraceInfo.MofData, 5 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( *trace_target, AcceptSCTraceInfo.MofData, 7 );
|
|
AcceptSCTraceInfo.EventTrace.Size = sizeof(EVENT_TRACE_HEADER) + 9*sizeof(MOF_FIELD);
|
|
|
|
// Set trace parameters
|
|
AcceptSCTraceInfo.EventTrace.Guid = KerbAcceptSCGuid;
|
|
AcceptSCTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_END;
|
|
AcceptSCTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID | WNODE_FLAG_USE_MOF_PTR;
|
|
|
|
TraceEvent(
|
|
KerbTraceLoggerHandle,
|
|
(PEVENT_TRACE_HEADER)&AcceptSCTraceInfo
|
|
);
|
|
}
|
|
|
|
if ((InternalTicket != NULL) &&
|
|
((InternalTicket->bit_mask & KERB_ENCRYPTED_TICKET_client_addresses_present) != 0))
|
|
|
|
{
|
|
(VOID) KerbGetClientNetbiosAddress(
|
|
&WorkstationName,
|
|
InternalTicket->KERB_ENCRYPTED_TICKET_client_addresses
|
|
);
|
|
}
|
|
|
|
//
|
|
// First, handle auditing
|
|
//
|
|
if (Status == STATUS_SUCCESS)
|
|
{
|
|
//
|
|
// The following generates a successful audit event.
|
|
// A new field (logon GUID) was added to this audit event.
|
|
//
|
|
// In order to send this new field to LSA, we had two options:
|
|
// 1) add new function (AuditLogonEx) to LSA dispatch table
|
|
// 2) define a private (LsaI) function to do the job
|
|
//
|
|
// option#2 was chosen because the logon GUID is a Kerberos only
|
|
// feature.
|
|
//
|
|
|
|
if (S4UDelegationInfo)
|
|
{
|
|
TransittedServices = (PLSA_ADT_STRING_LIST)KerbAllocate(
|
|
sizeof(LSA_ADT_STRING_LIST) +
|
|
sizeof(LSA_ADT_STRING_LIST_ENTRY) * S4UDelegationInfo->TransitedListSize);
|
|
|
|
if (TransittedServices)
|
|
{
|
|
PLSA_ADT_STRING_LIST_ENTRY Entry;
|
|
|
|
Entry = (PLSA_ADT_STRING_LIST_ENTRY)&TransittedServices[1];
|
|
|
|
TransittedServices->cStrings = S4UDelegationInfo->TransitedListSize;
|
|
TransittedServices->Strings = Entry;
|
|
|
|
for (ULONG i = 0; i < S4UDelegationInfo->TransitedListSize; i++)
|
|
{
|
|
Entry->Flags = 0;
|
|
Entry->String.Length = S4UDelegationInfo->S4UTransitedServices[i].Length;
|
|
Entry->String.MaximumLength = S4UDelegationInfo->S4UTransitedServices[i].MaximumLength;
|
|
Entry->String.Buffer = S4UDelegationInfo->S4UTransitedServices[i].Buffer;
|
|
Entry++;
|
|
}
|
|
}
|
|
}
|
|
|
|
DsysAssert(Context);
|
|
|
|
|
|
(void) KerbAuditLogon(
|
|
Status,
|
|
Status,
|
|
Context,
|
|
&WorkstationName,
|
|
&LogonId,
|
|
TransittedServices
|
|
);
|
|
|
|
#ifdef DBG
|
|
InterlockedIncrement(&Audits);
|
|
#endif
|
|
|
|
}
|
|
else if (!NT_SUCCESS(Status) || (LastStatus != STATUS_SUCCESS))
|
|
{
|
|
PUNICODE_STRING Wks = ((WorkstationName.Length) ? &WorkstationName : NULL);
|
|
|
|
if (Context != NULL)
|
|
{
|
|
LsaFunctions->AuditLogon(
|
|
STATUS_LOGON_FAILURE,
|
|
(LastStatus != STATUS_SUCCESS) ? LastStatus : Status,
|
|
&Context->ClientName,
|
|
&Context->ClientRealm,
|
|
Wks,
|
|
NULL, // no sid instead of a bogus one
|
|
Network,
|
|
&KerberosSource,
|
|
&LogonId
|
|
);
|
|
}
|
|
else
|
|
{
|
|
UNICODE_STRING EmptyString = NULL_UNICODE_STRING;
|
|
|
|
LsaFunctions->AuditLogon(
|
|
(LastStatus != STATUS_SUCCESS) ? LastStatus : Status,
|
|
STATUS_SUCCESS,
|
|
&EmptyString,
|
|
&EmptyString,
|
|
Wks,
|
|
NULL,
|
|
Network,
|
|
&KerberosSource,
|
|
&LogonId
|
|
);
|
|
}
|
|
}
|
|
|
|
if (Context != NULL)
|
|
{
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Only unlink the context if we just created it.
|
|
//
|
|
|
|
if (ContextHandle == 0)
|
|
{
|
|
KerbReferenceContextByPointer(
|
|
Context,
|
|
TRUE
|
|
);
|
|
KerbDereferenceContext(Context);
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Set the context to an invalid state.
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
Context->ContextState = InvalidState;
|
|
KerbUnlockContexts();
|
|
}
|
|
}
|
|
else
|
|
{
|
|
KerbWriteLockContexts();
|
|
if (Status == STATUS_SUCCESS)
|
|
{
|
|
Context->ContextState = AuthenticatedState;
|
|
}
|
|
else
|
|
{
|
|
if ((*ContextAttributes & ASC_RET_EXTENDED_ERROR) != 0)
|
|
{
|
|
Context->ContextState = ErrorMessageSentState;
|
|
}
|
|
else if (!IsTgtRequest)
|
|
{
|
|
Context->ContextState = ApReplySentState;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// else the HandleTgtRequest set the state
|
|
//
|
|
|
|
DsysAssert(Context->ContextState == TgtReplySentState);
|
|
}
|
|
}
|
|
KerbUnlockContexts();
|
|
}
|
|
KerbDereferenceContext(Context);
|
|
}
|
|
|
|
if (Status == STATUS_SUCCESS)
|
|
{
|
|
//
|
|
// On real success we map the context to the callers address
|
|
// space.
|
|
//
|
|
|
|
Status = KerbMapContext(
|
|
Context,
|
|
MappedContext,
|
|
ContextData
|
|
);
|
|
|
|
DebugLog((DEB_TRACE, "SpAcceptLsaModeContext called KerbMapContext ContextAttributes %#x, %#x\n", Context->ContextAttributes, Status));
|
|
}
|
|
|
|
if (LogonSession != NULL)
|
|
{
|
|
KerbDereferenceLogonSession( LogonSession );
|
|
}
|
|
|
|
if (Credential != NULL)
|
|
{
|
|
KerbDereferenceCredential( Credential );
|
|
}
|
|
|
|
if (InternalTicket != NULL)
|
|
{
|
|
KerbFreeTicket( InternalTicket );
|
|
}
|
|
if (InternalAuthenticator != NULL)
|
|
{
|
|
KerbFreeAuthenticator(InternalAuthenticator);
|
|
}
|
|
if (Request != NULL)
|
|
{
|
|
KerbFreeApRequest(Request);
|
|
}
|
|
|
|
if (Reply != NULL)
|
|
{
|
|
KerbFree(Reply);
|
|
}
|
|
KerbFreeKey(&SessionKey);
|
|
KerbFreeKey(&ServerKey);
|
|
|
|
if (UserSid != NULL)
|
|
{
|
|
KerbFree(UserSid);
|
|
}
|
|
|
|
//
|
|
// If there was a problem with the context or AP reply, the TokenHandle
|
|
// will not be reset to NULL. If it is NULL, close it so we don't leak
|
|
//
|
|
|
|
if ( TokenHandle != NULL )
|
|
{
|
|
D_DebugLog(( DEB_TRACE, "Closing token handle because context creation failed (%x)\n",
|
|
Status ));
|
|
|
|
NtClose( TokenHandle );
|
|
}
|
|
|
|
//
|
|
// Update performance counter
|
|
//
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
if (ContextHandle == 0)
|
|
{
|
|
I_SamIIncrementPerformanceCounter(KerbServerContextCounter);
|
|
}
|
|
#endif // WIN32_CHICAGO
|
|
|
|
KerbFreeKey(&TicketKey);
|
|
KerbFreeString(&ServiceDomain);
|
|
KerbFreeString(&ClientDomain);
|
|
KerbFreeString(&ClientNetbiosDomain);
|
|
KerbFreeString(&ClientName);
|
|
KerbFreeString(&WorkstationName);
|
|
|
|
if (TransittedServices)
|
|
{
|
|
KerbFree(TransittedServices);
|
|
}
|
|
|
|
if (S4UDelegationInfo)
|
|
{
|
|
#if DBG
|
|
D_DebugLog((DEB_TRACE_S4U, "SpAcceptLsaModeContext target %wZ\n", &S4UDelegationInfo->S4U2proxyTarget));
|
|
|
|
for ( ULONG i = 0; i < S4UDelegationInfo->TransitedListSize; i++ )
|
|
{
|
|
D_DebugLog((DEB_TRACE_S4U, "SpAcceptLsaModeContext ts %#x: %wZ\n", i, &S4UDelegationInfo->S4UTransitedServices[i]));
|
|
}
|
|
#endif // DBG
|
|
|
|
MIDL_user_free(S4UDelegationInfo);
|
|
}
|
|
|
|
D_DebugLog((DEB_TRACE_LEAKS,"SpAcceptLsaModeContext returned 0x%x, Context 0x%x, Pid 0x%x\n",KerbMapKerbNtStatusToNtStatus(Status), *NewContextHandle, ClientProcess));
|
|
D_DebugLog((DEB_TRACE_API, "SpAcceptLsaModeContext (%p) returned 0x%x\n", Context, KerbMapKerbNtStatusToNtStatus(Status))); // fester
|
|
|
|
return (KerbMapKerbNtStatusToNtStatus(Status));
|
|
}
|
|
#endif WIN32_CHICAGO //we don't do server side stuff
|