Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1956 lines
67 KiB

  1. /*++ BUILD Version: 0009 // Increment this if a change has global effects
  2. Copyright (c) 1987-1993 Microsoft Corporation
  3. Module Name:
  4. sessetup.c
  5. Abstract:
  6. This module implements the Session setup related routines
  7. Author:
  8. Balan Sethu Raman (SethuR) 06-Mar-95 Created
  9. --*/
  10. #include "precomp.h"
  11. #pragma hdrstop
  12. #include "exsessup.h"
  13. #include "ntlsapi.h"
  14. #include "mrxsec.h"
  15. #include "rdrssp\kfuncs.h"
  16. #include "rdrssp\secret.h"
  17. #include <wincred.h>
  18. #include <secpkg.h>
  19. #ifdef ALLOC_PRAGMA
  20. #pragma alloc_text(PAGE, BuildSessionSetupSmb)
  21. #pragma alloc_text(PAGE, BuildNtLanmanResponsePrologue)
  22. #pragma alloc_text(PAGE, BuildNtLanmanResponseEpilogue)
  23. #pragma alloc_text(PAGE, BuildExtendedSessionSetupResponsePrologue)
  24. #pragma alloc_text(PAGE, BuildExtendedSessionSetupResponseEpilogue)
  25. #endif
  26. extern BOOLEAN MRxSmbSecuritySignaturesEnabled;
  27. UNICODE_STRING CifsServiceName = { 8, 10, L"cifs" };
  28. NTSTATUS
  29. BuildSessionSetupSmb(
  30. PSMB_EXCHANGE pExchange,
  31. PGENERIC_ANDX pAndXSmb,
  32. PULONG pAndXSmbBufferSize)
  33. /*++
  34. Routine Description:
  35. This routine builds the session setup SMB for a NT server
  36. Arguments:
  37. pExchange - the exchange instance
  38. pAndXSmb - the session setup to be filled in
  39. pAndXSmbBufferSize - the SMB buffer size on input modified to remaining size on
  40. output.
  41. Return Value:
  42. NTSTATUS - The return status for the operation
  43. Notes:
  44. Eventhough the general structure of the code tries to isolate dialect specific issues
  45. as much as possible this routine takes the opposite approach. This is because of the
  46. preamble and prologue to security interaction which far outweigh the dialect specific
  47. work required to be done. Therefore in the interests of a smaller footprint this approach
  48. has been adopted.
  49. --*/
  50. {
  51. NTSTATUS Status;
  52. PSMBCEDB_SESSION_ENTRY pSessionEntry;
  53. PSMBCE_SERVER pServer;
  54. PSMBCE_SESSION pSession;
  55. PREQ_SESSION_SETUP_ANDX pSessionSetup;
  56. PREQ_NT_SESSION_SETUP_ANDX pNtSessionSetup;
  57. PREQ_NT_EXTENDED_SESSION_SETUP_ANDX pExtendedNtSessionSetup;
  58. ULONG OriginalBufferSize = *pAndXSmbBufferSize;
  59. PAGED_CODE();
  60. pSessionEntry = SmbCeGetExchangeSessionEntry(pExchange);
  61. pServer = SmbCeGetExchangeServer(pExchange);
  62. pSession = SmbCeGetExchangeSession(pExchange);
  63. // There are three different variants of session setup and X that can be shipped to the
  64. // server. All three of them share some common fields. The setting of these common fields
  65. // is done in all the three cases by accessing the passed in buffer as an instance of
  66. // REQ_SESSION_SETUP_ANDX. The fields specific to the remaining two are conditionalized upon
  67. // accessing the same buffer as an instance of REQ_NT_SESSION_SETUP_ANDX and
  68. // REQ_EXTENDED_NT_SESSION_SETUP_ANDX respectively. This implies that great care must be
  69. // taken in shuffling the fields in these three structs.
  70. pSessionSetup = (PREQ_SESSION_SETUP_ANDX)pAndXSmb;
  71. pNtSessionSetup = (PREQ_NT_SESSION_SETUP_ANDX)pSessionSetup;
  72. pExtendedNtSessionSetup = (PREQ_NT_EXTENDED_SESSION_SETUP_ANDX)pSessionSetup;
  73. pSessionSetup->AndXCommand = 0xff; // No ANDX
  74. pSessionSetup->AndXReserved = 0x00; // Reserved (MBZ)
  75. SmbPutUshort(&pSessionSetup->AndXOffset, 0x0000); // No AndX as of yet.
  76. // Since we can allocate pool dynamically, we set our buffer size
  77. // to match that of the server.
  78. SmbPutUshort(&pSessionSetup->MaxBufferSize, (USHORT)pServer->MaximumBufferSize);
  79. SmbPutUshort(&pSessionSetup->MaxMpxCount, pServer->MaximumRequests);
  80. SmbPutUshort(&pSessionSetup->VcNumber, (USHORT)pSessionEntry->SessionVCNumber);
  81. SmbPutUlong(&pSessionSetup->SessionKey, pServer->SessionKey);
  82. SmbPutUlong(&pSessionSetup->Reserved, 0);
  83. if (pServer->Dialect == NTLANMAN_DIALECT) {
  84. // Set up the NT server session setup specific parameters.
  85. if (FlagOn(pServer->DialectFlags,DF_EXTENDED_SECURITY) &&
  86. !FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION)) {
  87. SmbPutUshort(&pExtendedNtSessionSetup->WordCount,12);
  88. // Set the capabilities
  89. SmbPutUlong(
  90. &pExtendedNtSessionSetup->Capabilities,
  91. (CAP_NT_STATUS |
  92. CAP_UNICODE |
  93. CAP_LEVEL_II_OPLOCKS |
  94. CAP_NT_SMBS |
  95. CAP_DYNAMIC_REAUTH |
  96. CAP_EXTENDED_SECURITY));
  97. } else {
  98. SmbPutUshort(&pNtSessionSetup->WordCount,13);
  99. // Set the capabilities
  100. SmbPutUlong(
  101. &pNtSessionSetup->Capabilities,
  102. (CAP_NT_STATUS |
  103. CAP_UNICODE |
  104. CAP_LEVEL_II_OPLOCKS |
  105. CAP_NT_SMBS ));
  106. }
  107. } else {
  108. SmbPutUshort(&pSessionSetup->WordCount,10);
  109. }
  110. // Build the security information in the session setup SMB.
  111. Status = BuildSessionSetupSecurityInformation(
  112. pExchange,
  113. (PBYTE)pSessionSetup,
  114. pAndXSmbBufferSize);
  115. if (NT_SUCCESS(Status)) {
  116. // Copy the operating system name and the LANMAN version info
  117. // position the buffer for copying the operating system name and the lanman type.
  118. PBYTE pBuffer = (PBYTE)pSessionSetup +
  119. OriginalBufferSize -
  120. *pAndXSmbBufferSize;
  121. if (FlagOn(pServer->DialectFlags,DF_UNICODE)){
  122. //
  123. // Make sure the UNICODE string is suitably aligned
  124. //
  125. if( ((ULONG_PTR)pBuffer) & 01 ) {
  126. pBuffer++;
  127. (*pAndXSmbBufferSize)--;
  128. }
  129. Status = SmbPutUnicodeString(
  130. &pBuffer,
  131. &SmbCeContext.OperatingSystem,
  132. pAndXSmbBufferSize);
  133. if (NT_SUCCESS(Status)) {
  134. Status = SmbPutUnicodeString(
  135. &pBuffer,
  136. &SmbCeContext.LanmanType,
  137. pAndXSmbBufferSize);
  138. }
  139. } else {
  140. Status = SmbPutUnicodeStringAsOemString(
  141. &pBuffer,
  142. &SmbCeContext.OperatingSystem,
  143. pAndXSmbBufferSize);
  144. if (NT_SUCCESS(Status)) {
  145. Status = SmbPutUnicodeStringAsOemString(
  146. &pBuffer,
  147. &SmbCeContext.LanmanType,
  148. pAndXSmbBufferSize);
  149. }
  150. }
  151. if (NT_SUCCESS(Status)) {
  152. if (pServer->Dialect == NTLANMAN_DIALECT) {
  153. if (FlagOn(pServer->DialectFlags,DF_EXTENDED_SECURITY) &&
  154. !FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION)) {
  155. SmbPutUshort(
  156. &pExtendedNtSessionSetup->ByteCount,
  157. (USHORT)(OriginalBufferSize -
  158. FIELD_OFFSET(REQ_NT_EXTENDED_SESSION_SETUP_ANDX,Buffer) -
  159. *pAndXSmbBufferSize));
  160. } else {
  161. SmbPutUshort(
  162. &pNtSessionSetup->ByteCount,
  163. (USHORT)(OriginalBufferSize -
  164. FIELD_OFFSET(REQ_NT_SESSION_SETUP_ANDX,Buffer) -
  165. *pAndXSmbBufferSize));
  166. }
  167. } else {
  168. SmbPutUshort(
  169. &pSessionSetup->ByteCount,
  170. (USHORT)(OriginalBufferSize -
  171. FIELD_OFFSET(REQ_SESSION_SETUP_ANDX,Buffer) -
  172. *pAndXSmbBufferSize));
  173. }
  174. }
  175. }
  176. return Status;
  177. }
  178. NTSTATUS
  179. BuildNtLanmanResponsePrologue(
  180. PSMB_EXCHANGE pExchange,
  181. PUNICODE_STRING pUserName,
  182. PUNICODE_STRING pDomainName,
  183. PSTRING pCaseSensitiveResponse,
  184. PSTRING pCaseInsensitiveResponse,
  185. PSECURITY_RESPONSE_CONTEXT pResponseContext)
  186. /*++
  187. Routine Description:
  188. This routine builds the security related information for the session setup SMB to
  189. without extended security negotiation
  190. Arguments:
  191. Return Value:
  192. RXSTATUS - The return status for the operation
  193. Notes:
  194. This routine needs to be executed in the system process in order to protect virtual memory
  195. --*/
  196. {
  197. NTSTATUS Status;
  198. NTSTATUS FinalStatus;
  199. UNICODE_STRING ServerName;
  200. UNICODE_STRING TargetServerName;
  201. PVOID pTargetInformation;
  202. ULONG TargetInformationSize;
  203. ULONG ExtraSize = 0;
  204. PVOID ExtraServerTargetInfo = NULL;
  205. SecBufferDesc InputToken;
  206. SecBuffer InputBuffer[2];
  207. SecBufferDesc *pOutputBufferDescriptor = NULL;
  208. SecBuffer *pOutputBuffer = NULL;
  209. ULONG_PTR OutputBufferDescriptorSize;
  210. ULONG LsaFlags = ISC_REQ_ALLOCATE_MEMORY;
  211. TimeStamp Expiry;
  212. PCHALLENGE_MESSAGE InToken = NULL;
  213. ULONG InTokenSize;
  214. PNTLM_CHALLENGE_MESSAGE NtlmInToken = NULL;
  215. ULONG NtlmInTokenSize = 0;
  216. PAUTHENTICATE_MESSAGE OutToken = NULL;
  217. PNTLM_INITIALIZE_RESPONSE NtlmOutToken = NULL;
  218. PUCHAR p = NULL;
  219. ULONG_PTR AllocateSize;
  220. PSMBCE_SERVER pServer = SmbCeGetExchangeServer(pExchange);
  221. PSMBCE_SESSION pSession = SmbCeGetExchangeSession(pExchange);
  222. PSMBCEDB_SERVER_ENTRY pServerEntry = SmbCeGetExchangeServerEntry(pExchange);
  223. PAGED_CODE();
  224. try {
  225. pResponseContext->KerberosSetup.pOutputContextBuffer = NULL;
  226. #if defined(REMOTE_BOOT)
  227. //
  228. // If this is a remote boot session and we do not have the proper
  229. // credentials to log in to the machine account, then use the NULL
  230. // session.
  231. //
  232. if (FlagOn(pSession->Flags, SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) &&
  233. !MRxSmbRemoteBootDoMachineLogon) {
  234. //
  235. // Remote boot session with no credentials. Set up a NULL session.
  236. //
  237. pCaseSensitiveResponse->Length = 0;
  238. pCaseSensitiveResponse->MaximumLength = 0;
  239. pCaseSensitiveResponse->Buffer = NULL;
  240. pCaseInsensitiveResponse->Length = 0;
  241. pCaseInsensitiveResponse->MaximumLength = 0;
  242. pCaseInsensitiveResponse->Buffer = NULL;
  243. pDomainName->Length = 0;
  244. pDomainName->MaximumLength = 0;
  245. pDomainName->Buffer = NULL;
  246. pUserName->Length = 0;
  247. pUserName->MaximumLength = 0;
  248. pUserName->Buffer = NULL;
  249. Status = STATUS_SUCCESS;
  250. } else
  251. #endif // defined(REMOTE_BOOT)
  252. {
  253. SmbCeGetServerName(
  254. pExchange->SmbCeContext.pVNetRoot->pNetRoot->pSrvCall,
  255. &ServerName);
  256. if (pServerEntry->DomainName.Length && pServerEntry->DomainName.Buffer) {
  257. TargetServerName = ServerName;
  258. ExtraSize = ServerName.Length;
  259. ExtraServerTargetInfo = ServerName.Buffer;
  260. ServerName = pServerEntry->DomainName;
  261. }
  262. TargetInformationSize = ServerName.Length;
  263. pTargetInformation = ServerName.Buffer;
  264. InTokenSize = sizeof(CHALLENGE_MESSAGE) + TargetInformationSize + ExtraSize;
  265. NtlmInTokenSize = sizeof(NTLM_CHALLENGE_MESSAGE);
  266. if (pSession->pPassword != NULL) {
  267. NtlmInTokenSize += pSession->pPassword->Length;
  268. LsaFlags |= ISC_REQ_USE_SUPPLIED_CREDS;
  269. }
  270. if (pSession->pUserName != NULL) {
  271. NtlmInTokenSize += pSession->pUserName->Length;
  272. LsaFlags |= ISC_REQ_USE_SUPPLIED_CREDS;
  273. }
  274. if (pSession->pUserDomainName != NULL) {
  275. NtlmInTokenSize += pSession->pUserDomainName->Length;
  276. LsaFlags |= ISC_REQ_USE_SUPPLIED_CREDS;
  277. }
  278. // For Alignment purposes, we want InTokenSize rounded up to
  279. // the nearest word size.
  280. AllocateSize = ((InTokenSize + 3) & ~3) + NtlmInTokenSize;
  281. InToken = ExAllocatePool(
  282. PagedPool,
  283. AllocateSize );
  284. if ( InToken == NULL )
  285. {
  286. Status = STATUS_NO_MEMORY;
  287. try_return( Status );
  288. }
  289. // Allocate the output buffer
  290. OutputBufferDescriptorSize = sizeof(SecBufferDesc) + 2 * sizeof(SecBuffer);
  291. pOutputBufferDescriptor = ExAllocatePool(
  292. PagedPool,
  293. OutputBufferDescriptorSize );
  294. if ( pOutputBufferDescriptor == NULL )
  295. {
  296. Status = STATUS_NO_MEMORY ;
  297. try_return( Status );
  298. }
  299. pOutputBuffer = (SecBuffer *)(pOutputBufferDescriptor + 1);
  300. pResponseContext->KerberosSetup.pOutputContextBuffer = pOutputBufferDescriptor;
  301. RxDbgTrace(0,Dbg,("Allocate pool %p\n", InToken));
  302. // partition off the NTLM in token part of the
  303. // buffer
  304. if (LsaFlags & ISC_REQ_USE_SUPPLIED_CREDS)
  305. {
  306. NtlmInToken = (PNTLM_CHALLENGE_MESSAGE) ((PUCHAR) InToken + InTokenSize);
  307. NtlmInToken = (PNTLM_CHALLENGE_MESSAGE) (((ULONG_PTR) NtlmInToken + 3) & ~3);
  308. RtlZeroMemory(NtlmInToken,NtlmInTokenSize);
  309. p = (PUCHAR) NtlmInToken + sizeof(NTLM_CHALLENGE_MESSAGE);
  310. }
  311. if(!SecIsValidHandle(&pSession->CredentialHandle)) {
  312. UNICODE_STRING LMName;
  313. TimeStamp LifeTime;
  314. LMName.Buffer = (PWSTR) InToken;
  315. LMName.Length = NTLMSP_NAME_SIZE;
  316. LMName.MaximumLength = LMName.Length;
  317. RtlCopyMemory(
  318. LMName.Buffer,
  319. NTLMSP_NAME,
  320. NTLMSP_NAME_SIZE);
  321. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) ||
  322. MRxSmbUseKernelModeSecurity) {
  323. ULONG fCredentialUse = SECPKG_CRED_OUTBOUND;
  324. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION)) {
  325. fCredentialUse |= SECPKG_CRED_OWF_PASSWORD;
  326. }
  327. Status = AcquireCredentialsHandleK(
  328. NULL,
  329. &LMName,
  330. fCredentialUse,
  331. &pSession->LogonId,
  332. NULL,
  333. NULL,
  334. (PVOID)1,
  335. &pSession->CredentialHandle,
  336. &LifeTime);
  337. } else {
  338. Status = AcquireCredentialsHandleW(
  339. NULL,
  340. &LMName,
  341. SECPKG_CRED_OUTBOUND,
  342. &pSession->LogonId,
  343. NULL,
  344. NULL,
  345. (PVOID)1,
  346. &pSession->CredentialHandle,
  347. &LifeTime);
  348. }
  349. if(!NT_SUCCESS(Status)) {
  350. SecInvalidateHandle( &pSession->CredentialHandle );
  351. SmbLogError(Status,
  352. LOG,
  353. BuildNtLanmanResponsePrologue_1,
  354. LOGPTR(pSession)
  355. LOGULONG(Status)
  356. LOGUSTR(ServerName));
  357. // We need to free the output buffer (and description) because if they are valid,
  358. // BuildNtLanmanResponseEpilogue will try and parse them, and they have not been
  359. // initialized yet...
  360. ExFreePool( pOutputBufferDescriptor );
  361. pResponseContext->KerberosSetup.pOutputContextBuffer = NULL;
  362. try_return(Status);
  363. }
  364. }
  365. // Copy in the pass,user,domain if they were specified
  366. if(pSession->pPassword != NULL) {
  367. NtlmInToken->Password.Length = pSession->pPassword->Length;
  368. NtlmInToken->Password.MaximumLength = pSession->pPassword->Length;
  369. RtlCopyMemory(
  370. p,
  371. pSession->pPassword->Buffer,
  372. pSession->pPassword->Length);
  373. NtlmInToken->Password.Buffer = (ULONG) (p - (PUCHAR)NtlmInToken);
  374. p += pSession->pPassword->Length;
  375. }
  376. if(pSession->pUserName != NULL) {
  377. NtlmInToken->UserName.Length = pSession->pUserName->Length;
  378. NtlmInToken->UserName.MaximumLength = pSession->pUserName->Length;
  379. RtlCopyMemory(
  380. p,
  381. pSession->pUserName->Buffer,
  382. pSession->pUserName->Length);
  383. NtlmInToken->UserName.Buffer = (ULONG) (p - (PUCHAR)NtlmInToken);
  384. p += pSession->pUserName->Length;
  385. }
  386. if (pSession->pUserDomainName != NULL) {
  387. NtlmInToken->DomainName.Length = pSession->pUserDomainName->Length;
  388. NtlmInToken->DomainName.MaximumLength = pSession->pUserDomainName->Length;
  389. RtlCopyMemory(
  390. p,
  391. pSession->pUserDomainName->Buffer,
  392. pSession->pUserDomainName->Length);
  393. NtlmInToken->DomainName.Buffer = (ULONG) (p - (PUCHAR)NtlmInToken);
  394. p += pSession->pUserDomainName->Length;
  395. }
  396. RtlCopyMemory(
  397. InToken->Signature,
  398. NTLMSSP_SIGNATURE,
  399. sizeof(NTLMSSP_SIGNATURE));
  400. InToken->MessageType = NtLmChallenge;
  401. InToken->NegotiateFlags = NTLMSSP_NEGOTIATE_UNICODE |
  402. NTLMSSP_NEGOTIATE_OEM |
  403. NTLMSSP_REQUEST_INIT_RESPONSE;
  404. if (pServerEntry->Server.SecurityMode == SECURITY_MODE_SHARE_LEVEL) {
  405. InToken->NegotiateFlags |= NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT;
  406. }
  407. RtlCopyMemory(
  408. InToken->Challenge,
  409. pServer->EncryptionKey,
  410. MSV1_0_CHALLENGE_LENGTH);
  411. InToken->TargetName.Length =
  412. InToken->TargetName.MaximumLength = (USHORT)TargetInformationSize;
  413. InToken->TargetName.Buffer = sizeof(CHALLENGE_MESSAGE);
  414. RtlCopyMemory(
  415. (PCHAR)InToken + sizeof(CHALLENGE_MESSAGE),
  416. pTargetInformation,
  417. TargetInformationSize);
  418. TargetServerName.Buffer = (PWCHAR) ((PCHAR)InToken +
  419. sizeof(CHALLENGE_MESSAGE) +
  420. TargetInformationSize);
  421. if (ExtraSize) {
  422. RtlCopyMemory(
  423. TargetServerName.Buffer,
  424. ExtraServerTargetInfo,
  425. ExtraSize);
  426. InToken->NegotiateFlags |= NTLMSSP_TARGET_TYPE_DOMAIN;
  427. } else {
  428. InToken->NegotiateFlags |= NTLMSSP_TARGET_TYPE_SERVER;
  429. }
  430. InputToken.pBuffers = InputBuffer;
  431. InputToken.cBuffers = 1;
  432. InputToken.ulVersion = 0;
  433. InputBuffer[0].pvBuffer = InToken;
  434. InputBuffer[0].cbBuffer = InTokenSize;
  435. InputBuffer[0].BufferType = SECBUFFER_TOKEN;
  436. if (LsaFlags & ISC_REQ_USE_SUPPLIED_CREDS)
  437. {
  438. InputToken.cBuffers = 2;
  439. InputBuffer[1].pvBuffer = NtlmInToken;
  440. InputBuffer[1].cbBuffer = NtlmInTokenSize;
  441. InputBuffer[1].BufferType = SECBUFFER_TOKEN;
  442. }
  443. pOutputBufferDescriptor->pBuffers = pOutputBuffer;
  444. pOutputBufferDescriptor->cBuffers = 2;
  445. pOutputBufferDescriptor->ulVersion = 0;
  446. pOutputBuffer[0].pvBuffer = NULL;
  447. pOutputBuffer[0].cbBuffer = 0;
  448. pOutputBuffer[0].BufferType = SECBUFFER_TOKEN;
  449. pOutputBuffer[1].pvBuffer = NULL;
  450. pOutputBuffer[1].cbBuffer = 0;
  451. pOutputBuffer[1].BufferType = SECBUFFER_TOKEN;
  452. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) ||
  453. MRxSmbUseKernelModeSecurity) {
  454. Status = InitializeSecurityContextK(
  455. &pSession->CredentialHandle,
  456. (PCtxtHandle)NULL,
  457. ExtraSize ? &TargetServerName : NULL,
  458. LsaFlags,
  459. 0,
  460. SECURITY_NATIVE_DREP,
  461. &InputToken,
  462. 0,
  463. &pSession->SecurityContextHandle,
  464. pOutputBufferDescriptor,
  465. &FinalStatus,
  466. &Expiry);
  467. } else {
  468. Status = InitializeSecurityContextW(
  469. &pSession->CredentialHandle,
  470. (PCtxtHandle)NULL,
  471. ExtraSize ? &TargetServerName : NULL,
  472. LsaFlags,
  473. 0,
  474. SECURITY_NATIVE_DREP,
  475. &InputToken,
  476. 0,
  477. &pSession->SecurityContextHandle,
  478. pOutputBufferDescriptor,
  479. &FinalStatus,
  480. &Expiry);
  481. }
  482. if(!NT_SUCCESS(Status)) {
  483. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) ||
  484. MRxSmbUseKernelModeSecurity) {
  485. Status = MapSecurityErrorK(Status);
  486. } else {
  487. Status = MapSecurityError(Status);
  488. }
  489. SmbCeLog(("IniSecCtxStat %p %lx\n",SmbCeGetExchangeSessionEntry(pExchange),Status));
  490. SmbLogError(Status,
  491. LOG,
  492. BuildNtLanmanResponsePrologue_2,
  493. LOGPTR(pSession)
  494. LOGULONG(Status)
  495. LOGUSTR(ServerName));
  496. try_return(Status);
  497. }
  498. OutToken = (PAUTHENTICATE_MESSAGE) pOutputBuffer[0].pvBuffer;
  499. ASSERT(OutToken != NULL);
  500. RxDbgTrace(0,Dbg,("InitSecCtxt OutToken is %p\n", OutToken));
  501. if (OutToken == NULL) {
  502. Status = STATUS_UNSUCCESSFUL;
  503. SmbLogError(Status,
  504. LOG,
  505. BuildNtLanmanResponsePrologue_3,
  506. LOGPTR(pSession)
  507. LOGULONG(Status)
  508. LOGUSTR(ServerName));
  509. try_return(Status);
  510. }
  511. // The security response the pointers are encoded in terms off the offset
  512. // from the beginning of the buffer. Make the appropriate adjustments.
  513. if (ARGUMENT_PRESENT(pCaseSensitiveResponse)) {
  514. pCaseSensitiveResponse->Length = OutToken->NtChallengeResponse.Length;
  515. pCaseSensitiveResponse->MaximumLength = OutToken->NtChallengeResponse.MaximumLength;
  516. pCaseSensitiveResponse->Buffer = (PBYTE)OutToken + (ULONG_PTR)OutToken->NtChallengeResponse.Buffer;
  517. }
  518. if (ARGUMENT_PRESENT(pCaseInsensitiveResponse)) {
  519. pCaseInsensitiveResponse->Length = OutToken->LmChallengeResponse.Length;
  520. pCaseInsensitiveResponse->MaximumLength = OutToken->LmChallengeResponse.MaximumLength;
  521. pCaseInsensitiveResponse->Buffer = (PBYTE)OutToken + (ULONG_PTR)OutToken->LmChallengeResponse.Buffer;
  522. }
  523. if (pSession->pUserDomainName != NULL) {
  524. *pDomainName = *(pSession->pUserDomainName);
  525. } else {
  526. pDomainName->Length = OutToken->DomainName.Length;
  527. pDomainName->MaximumLength = pDomainName->Length;
  528. pDomainName->Buffer = (PWCHAR)((PBYTE)OutToken + (ULONG_PTR)OutToken->DomainName.Buffer);
  529. }
  530. if (pSession->pUserName != NULL) {
  531. *pUserName = *(pSession->pUserName);
  532. } else {
  533. pUserName->Length = OutToken->UserName.Length;
  534. pUserName->MaximumLength = OutToken->UserName.MaximumLength;
  535. pUserName->Buffer = (PWCHAR)((PBYTE)OutToken + (ULONG_PTR)OutToken->UserName.Buffer);
  536. }
  537. NtlmOutToken = pOutputBuffer[1].pvBuffer;
  538. if (NtlmOutToken != NULL) {
  539. RtlCopyMemory(
  540. pSession->UserSessionKey,
  541. NtlmOutToken->UserSessionKey,
  542. MSV1_0_USER_SESSION_KEY_LENGTH);
  543. RtlCopyMemory(
  544. pSession->LanmanSessionKey,
  545. NtlmOutToken->LanmanSessionKey,
  546. MSV1_0_LANMAN_SESSION_KEY_LENGTH);
  547. }
  548. }
  549. try_exit:NOTHING;
  550. } finally {
  551. if (InToken != NULL) {
  552. ExFreePool( InToken );
  553. }
  554. if (!NT_SUCCESS(Status)) {
  555. BuildNtLanmanResponseEpilogue(pExchange, pResponseContext);
  556. } else {
  557. // This routine can be call from tree connect request, the SecurityContextHandle
  558. // will be overwritten if not deleted, which causes pool leak on LSA.
  559. DeleteSecurityContextForSession(pSession);
  560. }
  561. }
  562. SmbLogError(Status,
  563. LOG,
  564. BuildNtLanmanResponsePrologue,
  565. LOGPTR(pSession)
  566. LOGULONG(Status));
  567. return Status;
  568. }
  569. NTSTATUS
  570. BuildNtLanmanResponseEpilogue(
  571. PSMB_EXCHANGE pExchange,
  572. PSECURITY_RESPONSE_CONTEXT pResponseContext)
  573. /*++
  574. This routine needs to be executed in the system process in order to protect virtual memory
  575. --*/
  576. {
  577. NTSTATUS Status = STATUS_SUCCESS;
  578. PSMBCE_SESSION pSession = SmbCeGetExchangeSession(pExchange);
  579. PAGED_CODE();
  580. if (pResponseContext->KerberosSetup.pOutputContextBuffer != NULL) {
  581. ULONG i = 0;
  582. SecBufferDesc *pBufferDescriptor = (SecBufferDesc *)pResponseContext->KerberosSetup.pOutputContextBuffer;
  583. SecBuffer *pBuffer = pBufferDescriptor->pBuffers;
  584. ULONG_PTR BufferDescriptorSize = sizeof(SecBufferDesc) + 2 * sizeof(SecBuffer);
  585. for (i = 0; i < pBufferDescriptor->cBuffers; i++) {
  586. if (pBuffer[i].pvBuffer != NULL) {
  587. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) ||
  588. MRxSmbUseKernelModeSecurity) {
  589. FreeContextBufferK(pBuffer[i].pvBuffer);
  590. } else {
  591. FreeContextBuffer(pBuffer[i].pvBuffer);
  592. }
  593. }
  594. }
  595. ExFreePool( pBufferDescriptor );
  596. pResponseContext->KerberosSetup.pOutputContextBuffer = NULL;
  597. }
  598. return Status;
  599. }
  600. NTSTATUS
  601. BuildExtendedSessionSetupResponsePrologue(
  602. PSMB_EXCHANGE pExchange,
  603. PVOID pSecurityBlobPtr,
  604. PUSHORT pSecurityBlobSize,
  605. PSECURITY_RESPONSE_CONTEXT pResponseContext)
  606. /*++
  607. Routine Description:
  608. This routine builds the security related information for the session setup SMB to
  609. a NT server with extended security
  610. Arguments:
  611. pExchange - the SMB_EXCHANGE that's going on for this call. If this is a
  612. subsequent call, this exchange will have the server's security
  613. blob.
  614. pSecurityBlobPtr - On entry, pointer to where in the SMB to stick the security
  615. blob destined for the server.
  616. pSecurityBlobSize - On entry, the max size allowed for a security blob. On
  617. exit, the actual size of the blob.
  618. pResponseContext -
  619. Return Value:
  620. NTSTATUS - The return status for the operation
  621. Notes:
  622. Eventhough the genral structure of the code tries to isolate dialect specific issues
  623. as much as possible this routine takes the opposite approach. This is because of the
  624. preamble and prologue to security interaction which far outweigh the dialect specific
  625. work required to be done. Therefore in the interests of a smaller footprint this approach
  626. has been adopted.
  627. This routine needs to be executed in the system process in order to protect virtual memory
  628. --*/
  629. {
  630. NTSTATUS Status;
  631. SECURITY_STATUS SecStatus;
  632. ULONG Catts;
  633. TimeStamp Expiry;
  634. ULONG LsaFlags = (ISC_REQ_MUTUAL_AUTH |
  635. ISC_REQ_DELEGATE |
  636. ISC_REQ_FRAGMENT_TO_FIT );
  637. ULONG_PTR RemoteBlobOffset;
  638. ULONG_PTR OutputBufferSize;
  639. UNICODE_STRING PrincipalName = { 0 };
  640. PUNICODE_STRING pServerPrincipalName;
  641. PVOID pServerSecurityBlob;
  642. ULONG ServerSecurityBlobSize;
  643. PUCHAR pTempBlob = NULL;
  644. PSMBCE_SERVER pServer = SmbCeGetExchangeServer(pExchange);
  645. PSMBCE_SESSION pSession = SmbCeGetExchangeSession(pExchange);
  646. PSMBCEDB_SERVER_ENTRY pServerEntry = SmbCeGetExchangeServerEntry(pExchange);
  647. UNICODE_STRING ServerName;
  648. BOOLEAN bTempServerName = FALSE;
  649. PUNICODE_STRING pServerDomainName;
  650. UNICODE_STRING TargetInfoMarshalled;
  651. PSMBCE_EXTENDED_SESSION pExtendedSession;
  652. PSMB_EXTENDED_SESSION_SETUP_EXCHANGE pExtendedSessionSetupExchange;
  653. SecBufferDesc InputToken;
  654. SecBuffer InputBuffer;
  655. SecBufferDesc OutputToken;
  656. SecBuffer OutputBuffer;
  657. PCtxtHandle pInputContextHandle = NULL;
  658. ULONG SpnSize = 0;
  659. PAGED_CODE();
  660. ASSERT((pExchange->Type == EXTENDED_SESSION_SETUP_EXCHANGE) &&
  661. (pSession->Type == EXTENDED_NT_SESSION));
  662. SmbCeAcquireResource();
  663. if (pServerEntry->DnsName.Buffer != NULL) {
  664. ServerName.Length = pServerEntry->DnsName.Length;
  665. ServerName.MaximumLength = pServerEntry->DnsName.MaximumLength;
  666. ServerName.Buffer = RxAllocatePoolWithTag(PagedPool,ServerName.MaximumLength,MRXSMB_SERVER_POOLTAG);
  667. if (ServerName.Buffer) {
  668. RtlCopyMemory(ServerName.Buffer,
  669. pServerEntry->DnsName.Buffer,
  670. pServerEntry->DnsName.Length);
  671. bTempServerName = TRUE;
  672. } else {
  673. SmbCeReleaseResource();
  674. Status = STATUS_INSUFFICIENT_RESOURCES;
  675. goto FINALLY;
  676. }
  677. //DbgPrint("DNS name is used for session setup %wZ\n", &ServerName);
  678. } else {
  679. SmbCeGetServerName(
  680. pExchange->SmbCeContext.pVNetRoot->pNetRoot->pSrvCall,
  681. &ServerName);
  682. }
  683. SmbCeReleaseResource();
  684. ASSERT(ServerName.MaximumLength > (ServerName.Length + sizeof(WCHAR)));
  685. if ((pExchange->RxContext != NULL) &&
  686. (pExchange->RxContext->MajorFunction == IRP_MJ_CREATE) &&
  687. ((pExchange->RxContext->Create.NtCreateParameters.DfsContext == UIntToPtr(DFS_OPEN_CONTEXT)) ||
  688. (pExchange->RxContext->Create.NtCreateParameters.DfsContext == UIntToPtr(DFS_DOWNLEVEL_OPEN_CONTEXT)))) {
  689. ASSERT(pExchange->RxContext->Create.NtCreateParameters.DfsNameContext != NULL);
  690. if (pSession->TargetInfoMarshalled == NULL) {
  691. PDFS_NAME_CONTEXT DfsNameContext = (PDFS_NAME_CONTEXT)pExchange->RxContext->Create.NtCreateParameters.DfsNameContext;
  692. if (DfsNameContext->pDfsTargetInfo) {
  693. PCREDENTIAL_TARGET_INFORMATIONW InTargetInfo = DfsNameContext->pDfsTargetInfo;
  694. #if 0
  695. DbgPrint("DFS TargetInfo is used %x\n",InTargetInfo);
  696. DbgPrint("TargeInfo TargetName %ws\n",InTargetInfo->TargetName);
  697. DbgPrint("TargeInfo NetbiosServerName %ws\n",InTargetInfo->NetbiosServerName);
  698. DbgPrint("TargeInfo DnsServerName %ws\n",InTargetInfo->DnsServerName);
  699. DbgPrint("TargeInfo NetbiosDomainName %ws\n",InTargetInfo->NetbiosDomainName);
  700. DbgPrint("TargeInfo DnsDomainName %ws\n",InTargetInfo->DnsDomainName);
  701. DbgPrint("TargeInfo DnsTreeName %ws\n",InTargetInfo->DnsTreeName);
  702. DbgPrint("TargeInfo CredTypes %ws\n",InTargetInfo->CredTypes);
  703. DbgPrint("TargeInfo TargetNameFlags %x\n",InTargetInfo->Flags);
  704. DbgPrint("TargeInfo CredTypeCount %x\n",InTargetInfo->CredTypeCount);
  705. #endif
  706. Status = CredMarshalTargetInfo(
  707. InTargetInfo,
  708. &pSession->TargetInfoMarshalled,
  709. &pSession->TargetInfoLength);
  710. if(!NT_SUCCESS(Status)) {
  711. goto FINALLY;
  712. }
  713. } else if (DfsNameContext->pLMRTargetInfo){
  714. PLMR_QUERY_TARGET_INFO LmrTargetInfo = DfsNameContext->pLMRTargetInfo;
  715. #if 0
  716. DbgPrint("LMR TargetInfo is used %x\n",LmrTargetInfo);
  717. #endif
  718. pSession->TargetInfoMarshalled = RxAllocatePoolWithTag(PagedPool,
  719. LmrTargetInfo->BufferLength,
  720. MRXSMB_SESSION_POOLTAG);
  721. if (pSession->TargetInfoMarshalled == NULL) {
  722. Status = STATUS_INSUFFICIENT_RESOURCES;
  723. goto FINALLY;
  724. }
  725. pSession->TargetInfoLength = LmrTargetInfo->BufferLength;
  726. RtlCopyMemory(pSession->TargetInfoMarshalled,
  727. LmrTargetInfo->TargetInfoMarshalled,
  728. LmrTargetInfo->BufferLength);
  729. }
  730. }
  731. }
  732. TargetInfoMarshalled.Buffer = pSession->TargetInfoMarshalled;
  733. TargetInfoMarshalled.Length =
  734. TargetInfoMarshalled.MaximumLength = (USHORT)pSession->TargetInfoLength;
  735. Status = SecMakeSPNEx(
  736. &CifsServiceName,
  737. &ServerName,
  738. NULL,
  739. 0,
  740. NULL,
  741. (pSession->TargetInfoMarshalled? &TargetInfoMarshalled : NULL),
  742. &PrincipalName,
  743. &SpnSize,
  744. TRUE );
  745. pExtendedSessionSetupExchange = (PSMB_EXTENDED_SESSION_SETUP_EXCHANGE)pExchange;
  746. pExtendedSession = (PSMBCE_EXTENDED_SESSION)pSession;
  747. pResponseContext->KerberosSetup.pOutputContextBuffer = NULL;
  748. pServerPrincipalName = pExchange->SmbCeContext.pVNetRoot->pNetRoot->pSrvCall->pPrincipalName;
  749. RxDbgTrace(0,Dbg,("KerberosResponsePrologue: Prinicpal name length %ld\n",PrincipalName.Length));
  750. if ( ( pExtendedSessionSetupExchange->pServerResponseBlob == NULL) &&
  751. ( !SecIsValidHandle( &pExtendedSession->SecurityContextHandle ) ) ) {
  752. // This is the first time. Pass in the BLOB obtained during NEGOTIATE to
  753. // the client side security package.
  754. ServerSecurityBlobSize = pServer->NtServer.SecurityBlobLength;
  755. pServerSecurityBlob = pServer->NtServer.pSecurityBlob;
  756. } else {
  757. ServerSecurityBlobSize = pExtendedSessionSetupExchange->ServerResponseBlobLength;
  758. pServerSecurityBlob = pExtendedSessionSetupExchange->pServerResponseBlob;
  759. }
  760. try {
  761. if( !SecIsValidHandle( &pExtendedSession->CredentialHandle )) {
  762. // Obtain a credential handle
  763. UNICODE_STRING KerberosName;
  764. TimeStamp LifeTime;
  765. ULONG_PTR CredentialBufferLength;
  766. PSEC_WINNT_AUTH_IDENTITY_EX pCredentialBuffer;
  767. PBYTE pStringBuffer;
  768. // The supplied credentials need to be packaged for the kerberos package
  769. // These need to be supplied in a special format as speced out by the
  770. // security packages.
  771. CredentialBufferLength = 0;
  772. pCredentialBuffer = NULL;
  773. if(pSession->pUserName != NULL) {
  774. CredentialBufferLength += pSession->pUserName->Length + sizeof(WCHAR);
  775. }
  776. if (pSession->pUserDomainName != NULL) {
  777. CredentialBufferLength += pSession->pUserDomainName->Length + sizeof(WCHAR);
  778. }
  779. if(pSession->pPassword != NULL) {
  780. CredentialBufferLength += pSession->pPassword->Length + sizeof(WCHAR);
  781. }
  782. if (CredentialBufferLength != 0) {
  783. CredentialBufferLength += sizeof(SEC_WINNT_AUTH_IDENTITY_EX);
  784. pCredentialBuffer = ExAllocatePool( PagedPool, CredentialBufferLength );
  785. if ( pCredentialBuffer == NULL )
  786. {
  787. Status = STATUS_NO_MEMORY ;
  788. try_return( Status );
  789. }
  790. //
  791. // Zero all the fixed length fields
  792. //
  793. RtlZeroMemory( pCredentialBuffer, sizeof( SEC_WINNT_AUTH_IDENTITY_EX ) );
  794. pCredentialBuffer->Version = SEC_WINNT_AUTH_IDENTITY_VERSION ;
  795. pCredentialBuffer->Length = sizeof( SEC_WINNT_AUTH_IDENTITY_EX );
  796. pCredentialBuffer->Flags = (SEC_WINNT_AUTH_IDENTITY_UNICODE |
  797. SEC_WINNT_AUTH_IDENTITY_MARSHALLED);
  798. pStringBuffer = (PBYTE) (pCredentialBuffer + 1);
  799. if (pSession->pUserName != NULL) {
  800. pCredentialBuffer->UserLength = pSession->pUserName->Length / sizeof(WCHAR);
  801. pCredentialBuffer->User = (PWCHAR)pStringBuffer;
  802. RtlCopyMemory(
  803. pCredentialBuffer->User,
  804. pSession->pUserName->Buffer,
  805. pSession->pUserName->Length);
  806. pStringBuffer += pSession->pUserName->Length;
  807. SmbPutUshort(pStringBuffer,L'\0');
  808. pStringBuffer += sizeof(WCHAR);
  809. }
  810. if (pSession->pUserDomainName != NULL) {
  811. pCredentialBuffer->DomainLength = pSession->pUserDomainName->Length / sizeof(WCHAR);
  812. pCredentialBuffer->Domain = (PWCHAR)pStringBuffer;
  813. RtlCopyMemory(
  814. pCredentialBuffer->Domain,
  815. pSession->pUserDomainName->Buffer,
  816. pSession->pUserDomainName->Length);
  817. pStringBuffer += pSession->pUserDomainName->Length;
  818. SmbPutUshort(pStringBuffer,L'\0');
  819. pStringBuffer += sizeof(WCHAR);
  820. }
  821. if (pSession->pPassword != NULL) {
  822. pCredentialBuffer->PasswordLength = pSession->pPassword->Length / sizeof(WCHAR);
  823. pCredentialBuffer->Password = (PWCHAR)pStringBuffer;
  824. RtlCopyMemory(
  825. pCredentialBuffer->Password,
  826. pSession->pPassword->Buffer,
  827. pSession->pPassword->Length);
  828. pStringBuffer += pSession->pPassword->Length;
  829. SmbPutUshort(pStringBuffer, L'\0');
  830. pStringBuffer += sizeof(WCHAR);
  831. }
  832. }
  833. RxDbgTrace(0,Dbg,("KerberosResponsePrologue: Acquiring Credential handle\n"));
  834. RtlInitUnicodeString(&KerberosName, NEGOSSP_NAME_W);
  835. SecStatus = AcquireCredentialsHandleW(
  836. NULL,
  837. &KerberosName,
  838. SECPKG_CRED_OUTBOUND,
  839. &pExtendedSession->LogonId,
  840. pCredentialBuffer,
  841. NULL,
  842. NULL,
  843. &pExtendedSession->CredentialHandle,
  844. &LifeTime);
  845. Status = MapSecurityError( SecStatus );
  846. if ( pCredentialBuffer )
  847. {
  848. ExFreePool( pCredentialBuffer );
  849. pCredentialBuffer = NULL ;
  850. }
  851. if(!NT_SUCCESS(Status)) {
  852. SecInvalidateHandle( &pExtendedSession->CredentialHandle );
  853. SmbLogError(Status,
  854. LOG,
  855. BuildExtendedSessionSetupResponsePrologue_1,
  856. LOGPTR(pSession)
  857. LOGULONG(Status)
  858. LOGUSTR(ServerName));
  859. try_return(Status);
  860. }
  861. }
  862. if (SecIsValidHandle( &pExtendedSession->SecurityContextHandle) ) {
  863. pInputContextHandle = &pExtendedSession->SecurityContextHandle;
  864. }
  865. InputToken.pBuffers = &InputBuffer;
  866. InputToken.cBuffers = 1;
  867. InputToken.ulVersion = 0;
  868. InputBuffer.pvBuffer = pServerSecurityBlob;
  869. InputBuffer.cbBuffer = ServerSecurityBlobSize;
  870. InputBuffer.BufferType = SECBUFFER_TOKEN;
  871. RxDbgTrace(0,Dbg,("ExtendedSessionSetupResponsePrologue: Finished setting up input token\n"));
  872. OutputBuffer.pvBuffer = pSecurityBlobPtr ;
  873. OutputBuffer.cbBuffer = SmbCeGetExchangeServer( pExchange )->MaximumBufferSize ;
  874. OutputBuffer.cbBuffer -= (sizeof( REQ_SESSION_SETUP_ANDX ) + sizeof( SMB_HEADER ) + 0x80 );
  875. ASSERT( OutputBuffer.cbBuffer <= *pSecurityBlobSize );
  876. OutputBuffer.BufferType = SECBUFFER_TOKEN;
  877. OutputBufferSize = OutputBuffer.cbBuffer;
  878. OutputToken.pBuffers = &OutputBuffer;
  879. OutputToken.cBuffers = 1;
  880. OutputToken.ulVersion = SECBUFFER_VERSION ;
  881. if (MRxSmbSecuritySignaturesEnabled) {
  882. LsaFlags |= ISC_REQ_INTEGRITY;
  883. }
  884. RxDbgTrace(0,Dbg,("ExtendedSessionSetupResponsePrologue: Finished setting up output token\n"));
  885. SecStatus = InitializeSecurityContextW(
  886. &pExtendedSession->CredentialHandle,
  887. pInputContextHandle,
  888. &PrincipalName,
  889. LsaFlags,
  890. 0, // reserved
  891. SECURITY_NATIVE_DREP,
  892. &InputToken,
  893. 0, // reserved
  894. &pExtendedSession->SecurityContextHandle,
  895. &OutputToken,
  896. &Catts,
  897. &Expiry);
  898. Status = MapSecurityError( SecStatus );
  899. #if DBG
  900. //
  901. // RDR or SRV is sending in a corrupt security blob to LSA -- need to
  902. // find out what the source is.
  903. //
  904. if( NT_SUCCESS(Status) )
  905. {
  906. if( (OutputBuffer.pvBuffer != NULL) &&
  907. (OutputBuffer.cbBuffer >= sizeof(DWORD))
  908. )
  909. {
  910. PUCHAR pValidate = (PUCHAR) OutputBuffer.pvBuffer ;
  911. ASSERT( (pValidate[0] != 0) ||
  912. (pValidate[1] != 0) ||
  913. (pValidate[2] != 0) ||
  914. (pValidate[3] != 0) );
  915. }
  916. }
  917. #endif
  918. if((Status != STATUS_SUCCESS) &&
  919. (SecStatus != SEC_I_COMPLETE_NEEDED) &&
  920. (SecStatus != SEC_I_CONTINUE_NEEDED)) {
  921. SmbLogError(Status,
  922. LOG,
  923. BuildExtendedSessionSetupResponsePrologue_2,
  924. LOGPTR(pSession)
  925. LOGULONG(Status)
  926. LOGUSTR(ServerName));
  927. try_return(Status);
  928. }
  929. if ((SecStatus == SEC_I_COMPLETE_NEEDED) ||
  930. (SecStatus == SEC_I_CONTINUE_NEEDED)) {
  931. Status = STATUS_SUCCESS;
  932. }
  933. if (SecStatus == STATUS_SUCCESS) {
  934. SecPkgContext_SessionKey SecKeys;
  935. SecStatus = QueryContextAttributesW(
  936. &pExtendedSession->SecurityContextHandle,
  937. SECPKG_ATTR_SESSION_KEY,
  938. &SecKeys);
  939. Status = MapSecurityError( SecStatus );
  940. if (Status == STATUS_SUCCESS) {
  941. ULONG SessionKeyLength = (MSV1_0_USER_SESSION_KEY_LENGTH >
  942. SecKeys.SessionKeyLength) ?
  943. MSV1_0_USER_SESSION_KEY_LENGTH :
  944. SecKeys.SessionKeyLength;
  945. RtlZeroMemory(
  946. (PVOID) pSession->UserSessionKey,
  947. MSV1_0_USER_SESSION_KEY_LENGTH);
  948. RtlCopyMemory(
  949. (PVOID) pSession->UserSessionKey,
  950. SecKeys.SessionKey,
  951. SessionKeyLength);
  952. pSession->SessionKeyLength = SessionKeyLength;
  953. if (SecKeys.SessionKey != NULL) {
  954. FreeContextBuffer( SecKeys.SessionKey );
  955. }
  956. } else {
  957. SmbLogError(Status,
  958. LOG,
  959. BuildExtendedSessionSetupResponsePrologue_3,
  960. LOGPTR(pSession)
  961. LOGULONG(Status)
  962. LOGUSTR(ServerName));
  963. }
  964. }
  965. RxDbgTrace(0,Dbg,("ExtendedSessionSetupResponsePrologue: Initialize security context successful\n"));
  966. *pSecurityBlobSize = (USHORT)OutputBuffer.cbBuffer;
  967. try_exit:NOTHING;
  968. } finally {
  969. NOTHING ;
  970. }
  971. FINALLY:
  972. if(bTempServerName == TRUE) {
  973. RxFreePool(ServerName.Buffer);
  974. }
  975. if ( PrincipalName.Buffer )
  976. {
  977. ExFreePool( PrincipalName.Buffer );
  978. }
  979. if ((Status != STATUS_SUCCESS) &&
  980. (Status != STATUS_WRONG_PASSWORD) &&
  981. (Status != STATUS_MORE_PROCESSING_REQUIRED)) {
  982. /*
  983. if (!pServer->EventLogPosted) {
  984. RxLogFailure(
  985. MRxSmbDeviceObject,
  986. NULL,
  987. EVENT_RDR_CANT_GET_SECURITY_CONTEXT,
  988. Status);
  989. pServer->EventLogPosted = TRUE;
  990. } */
  991. SmbCeLog(("KerbProlg %lx Status %lx\n",SmbCeGetExchangeSessionEntry(pExchange),Status));
  992. SmbLogError(Status,
  993. LOG,
  994. BuildExtendedSessionSetupResponsePrologue,
  995. LOGPTR(pSession)
  996. LOGULONG(Status));
  997. }
  998. return Status;
  999. }
  1000. NTSTATUS
  1001. BuildExtendedSessionSetupResponseEpilogue(
  1002. PSECURITY_RESPONSE_CONTEXT pResponseContext)
  1003. {
  1004. ULONG_PTR Zero = 0 ;
  1005. PAGED_CODE();
  1006. return STATUS_SUCCESS;
  1007. }
  1008. NTSTATUS
  1009. ValidateServerExtendedSessionSetupResponse(
  1010. PSMB_EXTENDED_SESSION_SETUP_EXCHANGE pExtendedSessionSetupExchange,
  1011. PVOID pServerResponseBlob,
  1012. ULONG ServerResponseBlobLength)
  1013. /*++
  1014. Routine Description:
  1015. This routine builds the security related information for the session setup SMB to
  1016. a server with extended security negotiation
  1017. Arguments:
  1018. Return Value:
  1019. RXSTATUS - The return status for the operation
  1020. Notes:
  1021. Eventhough the genral structure of the code tries to isolate dialect specific issues
  1022. as much as possible this routine takes the opposite approach. This is because of the
  1023. preamble and prologue to security interaction which far outweigh the dialect specific
  1024. work required to be done. Therefore in the interests of a smaller footprint this approach
  1025. has been adopted.
  1026. --*/
  1027. {
  1028. NTSTATUS Status;
  1029. SECURITY_STATUS SecStatus;
  1030. ULONG Catts = 0;
  1031. TimeStamp Expiry;
  1032. ULONG LsaFlags = ISC_REQ_MUTUAL_AUTH | ISC_REQ_ALLOCATE_MEMORY;
  1033. UNICODE_STRING PrincipalName;
  1034. PUNICODE_STRING pServerPrincipalName;
  1035. PUCHAR pTempBlob = NULL;
  1036. PSMBCE_SERVER pServer = SmbCeGetExchangeServer(pExtendedSessionSetupExchange);
  1037. PSMBCE_SESSION pSession = SmbCeGetExchangeSession(pExtendedSessionSetupExchange);
  1038. UNICODE_STRING ServerName;
  1039. PUNICODE_STRING pServerDomainName;
  1040. PSMBCE_EXTENDED_SESSION pExtendedSession;
  1041. SecBufferDesc InputToken;
  1042. SecBuffer InputBuffer;
  1043. SecBufferDesc OutputToken;
  1044. SecBuffer OutputBuffer;
  1045. SecPkgContext_SessionKey SecKeys;
  1046. KAPC_STATE ApcState;
  1047. BOOLEAN AttachToSystemProcess = FALSE;
  1048. PAGED_CODE();
  1049. ASSERT((pExtendedSessionSetupExchange->Type == EXTENDED_SESSION_SETUP_EXCHANGE) &&
  1050. (pSession->Type == EXTENDED_NT_SESSION));
  1051. SecKeys.SessionKey = NULL;
  1052. pExtendedSession = (PSMBCE_EXTENDED_SESSION)pSession;
  1053. if (pExtendedSession == NULL ||
  1054. !SecIsValidHandle(&pExtendedSession->CredentialHandle)) {
  1055. return STATUS_INVALID_HANDLE;
  1056. }
  1057. SmbCeGetServerName(
  1058. pExtendedSessionSetupExchange->SmbCeContext.pVNetRoot->pNetRoot->pSrvCall,&ServerName);
  1059. try {
  1060. RxDbgTrace(0,Dbg,("ValidateServerResponse: Blob Length %ld\n",pExtendedSessionSetupExchange->ServerResponseBlobLength));
  1061. InputToken.pBuffers = &InputBuffer;
  1062. InputToken.cBuffers = 1;
  1063. InputToken.ulVersion = 0;
  1064. InputBuffer.pvBuffer = pServerResponseBlob ;
  1065. InputBuffer.cbBuffer = pExtendedSessionSetupExchange->ServerResponseBlobLength;
  1066. InputBuffer.BufferType = SECBUFFER_TOKEN;
  1067. RxDbgTrace(0,Dbg,("ValidateKerberosServerResponse: filled in input token\n"));
  1068. OutputToken.pBuffers = &OutputBuffer;
  1069. OutputToken.cBuffers = 1;
  1070. OutputToken.ulVersion = 0;
  1071. OutputBuffer.pvBuffer = NULL;
  1072. OutputBuffer.cbBuffer = 0;
  1073. OutputBuffer.BufferType = SECBUFFER_TOKEN;
  1074. RxDbgTrace(0,Dbg,("ValidateKerberosServerResponse: filled in output token\n"));
  1075. SecStatus = InitializeSecurityContextW(
  1076. &pExtendedSession->CredentialHandle,
  1077. &pExtendedSession->SecurityContextHandle,
  1078. NULL,
  1079. LsaFlags,
  1080. 0, // reserved
  1081. SECURITY_NATIVE_DREP,
  1082. &InputToken,
  1083. 0, // reserved
  1084. &pExtendedSession->SecurityContextHandle,
  1085. &OutputToken,
  1086. &Catts,
  1087. &Expiry);
  1088. Status = MapSecurityError( SecStatus );
  1089. #if DBG
  1090. //
  1091. // RDR or SRV is sending in a corrupt security blob to LSA -- need to
  1092. // find out what the source is.
  1093. //
  1094. if( NT_SUCCESS(Status) )
  1095. {
  1096. if( (OutputBuffer.pvBuffer != NULL) &&
  1097. (OutputBuffer.cbBuffer >= sizeof(DWORD))
  1098. )
  1099. {
  1100. ASSERT( NT_SUCCESS( KSecValidateBuffer( OutputBuffer.pvBuffer, OutputBuffer.cbBuffer ) ) );
  1101. }
  1102. }
  1103. #endif
  1104. if((Status != STATUS_SUCCESS) &&
  1105. (SecStatus != SEC_I_COMPLETE_NEEDED) &&
  1106. (SecStatus != SEC_I_CONTINUE_NEEDED)) {
  1107. SmbLogError(Status,
  1108. LOG,
  1109. ValidateServerExtendedSessionSetupResponse_1,
  1110. LOGPTR(pSession)
  1111. LOGULONG(Status)
  1112. LOGUSTR(ServerName));
  1113. try_return(Status);
  1114. }
  1115. if ((SecStatus == SEC_I_COMPLETE_NEEDED) ||
  1116. (SecStatus == SEC_I_CONTINUE_NEEDED)) {
  1117. Status = STATUS_MORE_PROCESSING_REQUIRED;
  1118. }
  1119. if (Status == STATUS_SUCCESS) {
  1120. SecStatus = QueryContextAttributesW(
  1121. &pExtendedSession->SecurityContextHandle,
  1122. SECPKG_ATTR_SESSION_KEY,
  1123. &SecKeys);
  1124. Status = MapSecurityError( SecStatus );
  1125. if (Status == STATUS_SUCCESS) {
  1126. ULONG SessionKeyLength = (MSV1_0_USER_SESSION_KEY_LENGTH >
  1127. SecKeys.SessionKeyLength) ?
  1128. MSV1_0_USER_SESSION_KEY_LENGTH :
  1129. SecKeys.SessionKeyLength;
  1130. RtlZeroMemory(
  1131. (PVOID) pSession->UserSessionKey,
  1132. MSV1_0_USER_SESSION_KEY_LENGTH);
  1133. RtlCopyMemory(
  1134. (PVOID) pSession->UserSessionKey,
  1135. SecKeys.SessionKey,
  1136. SessionKeyLength);
  1137. pSession->SessionKeyLength = SessionKeyLength;
  1138. } else {
  1139. SmbLogError(Status,
  1140. LOG,
  1141. ValidateServerExtendedSessionSetupResponse_2,
  1142. LOGPTR(pSession)
  1143. LOGULONG(Status)
  1144. LOGUSTR(ServerName));
  1145. }
  1146. if (SecKeys.SessionKey != NULL) {
  1147. FreeContextBuffer( SecKeys.SessionKey );
  1148. }
  1149. }
  1150. RxDbgTrace(0,Dbg,("ValidateKerberosServerResponse: SecuritContext returned %ld\n",Status));
  1151. if (OutputBuffer.pvBuffer != NULL) {
  1152. FreeContextBuffer(OutputBuffer.pvBuffer);
  1153. }
  1154. try_exit:NOTHING;
  1155. } finally {
  1156. NOTHING ;
  1157. }
  1158. if ((Status != STATUS_SUCCESS) &&
  1159. (Status != STATUS_WRONG_PASSWORD) &&
  1160. (Status != STATUS_MORE_PROCESSING_REQUIRED)) {
  1161. /*
  1162. if (!pServer->EventLogPosted) {
  1163. RxLogFailure(
  1164. MRxSmbDeviceObject,
  1165. NULL,
  1166. EVENT_RDR_CANT_GET_SECURITY_CONTEXT,
  1167. Status);
  1168. pServer->EventLogPosted = TRUE;
  1169. } */
  1170. SmbCeLog((
  1171. "ValServer %lx Status %lx\n",
  1172. SmbCeGetExchangeSessionEntry(
  1173. (PSMB_EXCHANGE)pExtendedSessionSetupExchange),
  1174. Status));
  1175. SmbLogError(Status,
  1176. LOG,
  1177. ValidateServerExtendedSessionSetupResponse,
  1178. LOGPTR(pSession)
  1179. LOGULONG(Status));
  1180. }
  1181. return Status;
  1182. }
  1183. VOID
  1184. UninitializeSecurityContextsForSession(
  1185. PSMBCE_SESSION pSession)
  1186. {
  1187. CtxtHandle CredentialHandle,SecurityContextHandle ;
  1188. SmbCeLog(("UninitSecCont %lx\n",pSession));
  1189. SmbLog(LOG,
  1190. UninitializeSecurityContextsForSession,
  1191. LOGPTR(pSession));
  1192. SmbCeAcquireSpinLock();
  1193. CredentialHandle = pSession->CredentialHandle;
  1194. SecInvalidateHandle( &pSession->CredentialHandle );
  1195. SecurityContextHandle = pSession->SecurityContextHandle;
  1196. SecInvalidateHandle( &pSession->SecurityContextHandle );
  1197. SmbCeReleaseSpinLock();
  1198. if (SecIsValidHandle(&CredentialHandle)) {
  1199. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) ||
  1200. MRxSmbUseKernelModeSecurity) {
  1201. FreeCredentialsHandleK(&CredentialHandle);
  1202. } else {
  1203. FreeCredentialsHandle(&CredentialHandle);
  1204. }
  1205. }
  1206. if (SecIsValidHandle(&SecurityContextHandle)) {
  1207. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) ||
  1208. MRxSmbUseKernelModeSecurity) {
  1209. DeleteSecurityContextK(&SecurityContextHandle);
  1210. } else {
  1211. DeleteSecurityContext(&SecurityContextHandle);
  1212. }
  1213. }
  1214. }
  1215. VOID
  1216. DeleteSecurityContextForSession(
  1217. PSMBCE_SESSION pSession)
  1218. {
  1219. CtxtHandle SecurityContextHandle ;
  1220. SmbCeLog(("DelSecContext %lx\n",pSession));
  1221. SmbLog(LOG,
  1222. DeleteSecurityContextForSession,
  1223. LOGPTR(pSession));
  1224. SmbCeAcquireSpinLock();
  1225. SecurityContextHandle = pSession->SecurityContextHandle;
  1226. SecInvalidateHandle( &pSession->SecurityContextHandle);
  1227. SmbCeReleaseSpinLock();
  1228. if (SecIsValidHandle(&SecurityContextHandle)) {
  1229. if (FlagOn(pSession->Flags,SMBCE_SESSION_FLAGS_REMOTE_BOOT_SESSION) ||
  1230. MRxSmbUseKernelModeSecurity) {
  1231. DeleteSecurityContextK(&SecurityContextHandle);
  1232. } else {
  1233. DeleteSecurityContext(&SecurityContextHandle);
  1234. }
  1235. }
  1236. }
  1237. NTSTATUS
  1238. BuildExtendedSessionSetupResponsePrologueFake(
  1239. PSMB_EXCHANGE pExchange)
  1240. /*++
  1241. Routine Description:
  1242. This routine builds the security related information for the session setup SMB to
  1243. a NT server with extended security
  1244. Arguments:
  1245. Return Value:
  1246. NTSTATUS - The return status for the operation
  1247. Notes:
  1248. Eventhough the genral structure of the code tries to isolate dialect specific issues
  1249. as much as possible this routine takes the opposite approach. This is because of the
  1250. preamble and prologue to security interaction which far outweigh the dialect specific
  1251. work required to be done. Therefore in the interests of a smaller footprint this approach
  1252. has been adopted.
  1253. This routine needs to be executed in the system process in order to protect virtual memory
  1254. --*/
  1255. {
  1256. NTSTATUS Status;
  1257. SECURITY_STATUS SecStatus;
  1258. TimeStamp Expiry;
  1259. ULONG Catts = ISC_RET_MUTUAL_AUTH;
  1260. ULONG LsaFlags = (ISC_REQ_DELEGATE |
  1261. ISC_REQ_MUTUAL_AUTH |
  1262. ISC_REQ_FRAGMENT_TO_FIT);
  1263. ULONG_PTR RegionSize = 0;
  1264. ULONG_PTR OutputBufferSize;
  1265. UNICODE_STRING PrincipalName;
  1266. PUNICODE_STRING pServerPrincipalName;
  1267. PVOID pServerSecurityBlob;
  1268. ULONG ServerSecurityBlobSize;
  1269. PSMBCE_SERVER pServer = SmbCeGetExchangeServer(pExchange);
  1270. PSMBCE_SESSION pSession = SmbCeGetExchangeSession(pExchange);
  1271. PSMBCEDB_SERVER_ENTRY pServerEntry = SmbCeGetExchangeServerEntry(pExchange);
  1272. UNICODE_STRING ServerName;
  1273. PUNICODE_STRING pServerDomainName;
  1274. SMBCE_EXTENDED_SESSION ExtendedSession;
  1275. SecBufferDesc InputToken;
  1276. SecBuffer InputBuffer = { 0 };
  1277. SecBufferDesc OutputToken;
  1278. SecBuffer OutputBuffer = { 0 };
  1279. PCtxtHandle pInputContextHandle = NULL;
  1280. SecPkgContext_NegotiationInfoW NegInfo = { 0 };
  1281. PAGED_CODE();
  1282. SmbCeGetServerName(
  1283. pExchange->SmbCeContext.pVNetRoot->pNetRoot->pSrvCall,
  1284. &ServerName);
  1285. ASSERT(ServerName.MaximumLength > (ServerName.Length + sizeof(WCHAR)));
  1286. ExtendedSession.Flags = pSession->Flags;
  1287. ExtendedSession.LogonId = pSession->LogonId;
  1288. SecInvalidateHandle( &ExtendedSession.CredentialHandle );
  1289. SecInvalidateHandle( &ExtendedSession.SecurityContextHandle );
  1290. pServerPrincipalName = pExchange->SmbCeContext.pVNetRoot->pNetRoot->pSrvCall->pPrincipalName;
  1291. ServerSecurityBlobSize = 0; //there is no security blob in case of NTLM
  1292. pServerSecurityBlob = NULL;
  1293. try {
  1294. UNICODE_STRING KerberosName;
  1295. TimeStamp LifeTime;
  1296. ULONG_PTR CredentialBufferLength;
  1297. PSEC_WINNT_AUTH_IDENTITY_EXW pCredentialBuffer;
  1298. PBYTE pStringBuffer;
  1299. CredentialBufferLength = 0;
  1300. pCredentialBuffer = NULL;
  1301. if(pSession->pUserName != NULL) {
  1302. CredentialBufferLength += pSession->pUserName->Length + sizeof(WCHAR);
  1303. }
  1304. if (pSession->pUserDomainName != NULL) {
  1305. CredentialBufferLength += pSession->pUserDomainName->Length + sizeof(WCHAR);
  1306. }
  1307. if(pSession->pPassword != NULL) {
  1308. CredentialBufferLength += pSession->pPassword->Length + sizeof(WCHAR);
  1309. }
  1310. if (CredentialBufferLength != 0) {
  1311. CredentialBufferLength += sizeof(SEC_WINNT_AUTH_IDENTITY_EXW);
  1312. pCredentialBuffer = (PSEC_WINNT_AUTH_IDENTITY_EXW) ExAllocatePool(
  1313. PagedPool,
  1314. CredentialBufferLength );
  1315. if ( !pCredentialBuffer )
  1316. {
  1317. Status = STATUS_NO_MEMORY ;
  1318. try_return( Status );
  1319. }
  1320. //
  1321. // Zero the fixed portion
  1322. //
  1323. RtlZeroMemory( pCredentialBuffer, sizeof( SEC_WINNT_AUTH_IDENTITY_EXW ));
  1324. pCredentialBuffer->Version = SEC_WINNT_AUTH_IDENTITY_VERSION ;
  1325. pCredentialBuffer->Length = sizeof( SEC_WINNT_AUTH_IDENTITY_EXW );
  1326. pCredentialBuffer->Flags = (SEC_WINNT_AUTH_IDENTITY_UNICODE |
  1327. SEC_WINNT_AUTH_IDENTITY_MARSHALLED);
  1328. pStringBuffer = (PBYTE)( pCredentialBuffer + 1 );
  1329. if (pSession->pUserName != NULL) {
  1330. pCredentialBuffer->UserLength = pSession->pUserName->Length / sizeof(WCHAR);
  1331. pCredentialBuffer->User = (PWCHAR)pStringBuffer;
  1332. RtlCopyMemory(
  1333. pCredentialBuffer->User,
  1334. pSession->pUserName->Buffer,
  1335. pSession->pUserName->Length);
  1336. pStringBuffer += pSession->pUserName->Length;
  1337. SmbPutUshort(pStringBuffer,L'\0');
  1338. pStringBuffer += sizeof(WCHAR);
  1339. }
  1340. if (pSession->pUserDomainName != NULL) {
  1341. pCredentialBuffer->DomainLength = pSession->pUserDomainName->Length / sizeof(WCHAR);
  1342. pCredentialBuffer->Domain = (PWCHAR)pStringBuffer;
  1343. RtlCopyMemory(
  1344. pCredentialBuffer->Domain,
  1345. pSession->pUserDomainName->Buffer,
  1346. pSession->pUserDomainName->Length);
  1347. pStringBuffer += pSession->pUserDomainName->Length;
  1348. SmbPutUshort(pStringBuffer,L'\0');
  1349. pStringBuffer += sizeof(WCHAR);
  1350. }
  1351. if (pSession->pPassword != NULL) {
  1352. pCredentialBuffer->PasswordLength = pSession->pPassword->Length / sizeof(WCHAR);
  1353. pCredentialBuffer->Password = (PWCHAR)pStringBuffer;
  1354. RtlCopyMemory(
  1355. pCredentialBuffer->Password,
  1356. pSession->pPassword->Buffer,
  1357. pSession->pPassword->Length);
  1358. pStringBuffer += pSession->pPassword->Length;
  1359. SmbPutUshort(pStringBuffer, L'\0');
  1360. pStringBuffer += sizeof(WCHAR);
  1361. }
  1362. }
  1363. RxDbgTrace(0,Dbg,("KerberosResponsePrologue: Acquiring Credential handle\n"));
  1364. RtlInitUnicodeString(&KerberosName, NEGOSSP_NAME_W);
  1365. SecStatus = AcquireCredentialsHandleW(
  1366. NULL,
  1367. &KerberosName,
  1368. SECPKG_CRED_OUTBOUND,
  1369. &ExtendedSession.LogonId,
  1370. pCredentialBuffer,
  1371. NULL,
  1372. NULL,
  1373. &ExtendedSession.CredentialHandle,
  1374. &LifeTime);
  1375. Status = MapSecurityError( SecStatus );
  1376. if (pCredentialBuffer != NULL) {
  1377. ExFreePool( pCredentialBuffer );
  1378. }
  1379. if(!NT_SUCCESS(Status)) {
  1380. SecInvalidateHandle( &ExtendedSession.CredentialHandle );
  1381. SmbLogError(Status,
  1382. LOG,
  1383. BuildExtendedSessionSetupResponsePrologueFake_1,
  1384. LOGPTR(pSession)
  1385. LOGULONG(Status)
  1386. LOGUSTR(ServerName));
  1387. try_return(Status);
  1388. }
  1389. Status = SecMakeSPN(
  1390. &CifsServiceName,
  1391. &ServerName,
  1392. NULL,
  1393. 0,
  1394. NULL,
  1395. &PrincipalName,
  1396. NULL,
  1397. TRUE );
  1398. InputToken.pBuffers = &InputBuffer;
  1399. InputToken.cBuffers = 1;
  1400. InputToken.ulVersion = 0;
  1401. InputBuffer.pvBuffer = pServerSecurityBlob;
  1402. InputBuffer.cbBuffer = ServerSecurityBlobSize;
  1403. InputBuffer.BufferType = SECBUFFER_TOKEN;
  1404. OutputBuffer.pvBuffer = NULL;
  1405. OutputBuffer.cbBuffer = SmbCeGetExchangeServer( pExchange )->MaximumBufferSize;
  1406. OutputBuffer.cbBuffer -= (sizeof( REQ_SESSION_SETUP_ANDX ) + sizeof( SMB_HEADER ) + 0x80 );
  1407. OutputBuffer.BufferType = SECBUFFER_TOKEN;
  1408. OutputBufferSize = OutputBuffer.cbBuffer;
  1409. OutputBuffer.pvBuffer = ExAllocatePool( PagedPool, OutputBufferSize );
  1410. if ( OutputBuffer.pvBuffer == NULL )
  1411. {
  1412. Status = STATUS_NO_MEMORY ;
  1413. try_return( Status );
  1414. }
  1415. OutputToken.pBuffers = &OutputBuffer;
  1416. OutputToken.cBuffers = 1;
  1417. OutputToken.ulVersion = SECBUFFER_VERSION ;
  1418. if (pServerEntry->Server.SecurityMode == SECURITY_MODE_SHARE_LEVEL)
  1419. {
  1420. LsaFlags |= ISC_REQ_USE_SUPPLIED_CREDS;
  1421. }
  1422. SecStatus = InitializeSecurityContextW(
  1423. &ExtendedSession.CredentialHandle,
  1424. pInputContextHandle,
  1425. &PrincipalName,
  1426. LsaFlags,
  1427. 0, // reserved
  1428. SECURITY_NATIVE_DREP,
  1429. &InputToken,
  1430. 0, // reserved
  1431. &ExtendedSession.SecurityContextHandle,
  1432. &OutputToken,
  1433. &Catts,
  1434. &Expiry);
  1435. Status = MapSecurityError( SecStatus );
  1436. #if DBG
  1437. //
  1438. // RDR or SRV is sending in a corrupt security blob to LSA -- need to
  1439. // find out what the source is.
  1440. //
  1441. if( NT_SUCCESS(Status) )
  1442. {
  1443. if( (OutputBuffer.pvBuffer != NULL) &&
  1444. (OutputBuffer.cbBuffer >= sizeof(DWORD))
  1445. )
  1446. {
  1447. ASSERT( NT_SUCCESS( KSecValidateBuffer( OutputBuffer.pvBuffer, OutputBuffer.cbBuffer ) ) );
  1448. }
  1449. }
  1450. #endif
  1451. if((Status != STATUS_SUCCESS) &&
  1452. (SecStatus != SEC_I_COMPLETE_NEEDED) &&
  1453. (SecStatus != SEC_I_CONTINUE_NEEDED)) {
  1454. RxLog(("ISC returned %lx\n",Status));
  1455. SmbLogError(Status,
  1456. LOG,
  1457. BuildExtendedSessionSetupResponsePrologueFake_2,
  1458. LOGPTR(pSession)
  1459. LOGULONG(Status)
  1460. LOGUSTR(ServerName));
  1461. try_return(Status);
  1462. }
  1463. SecStatus = QueryContextAttributesW(
  1464. &ExtendedSession.SecurityContextHandle,
  1465. SECPKG_ATTR_NEGOTIATION_INFO,
  1466. &NegInfo);
  1467. Status = MapSecurityError( SecStatus );
  1468. if (Status != STATUS_SUCCESS) {
  1469. RxLog(("QCA returned %lx\n",Status));
  1470. SmbLogError(Status,
  1471. LOG,
  1472. BuildExtendedSessionSetupResponsePrologueFake_3,
  1473. LOGPTR(pSession)
  1474. LOGULONG(Status)
  1475. LOGUSTR(ServerName));
  1476. }
  1477. try_exit:NOTHING;
  1478. } finally {
  1479. if (Status == STATUS_SUCCESS) {
  1480. if (NegInfo.PackageInfo->wRPCID != NTLMSP_RPCID) {
  1481. Status = STATUS_LOGIN_WKSTA_RESTRICTION;
  1482. //RxLogFailure(
  1483. // MRxSmbDeviceObject,
  1484. // NULL,
  1485. // EVENT_RDR_ENCOUNTER_DOWNGRADE_ATTACK,
  1486. // Status);
  1487. RxLog(("NTLM downgrade attack from %wZ\n",&pServerEntry->Name));
  1488. #if DBG
  1489. DbgPrint("NTLM downgrade attack from %wZ\n",&pServerEntry->Name);
  1490. #endif
  1491. SmbLogError(Status,
  1492. LOG,
  1493. BuildExtendedSessionSetupResponsePrologueFake_4,
  1494. LOGPTR(pSession)
  1495. LOGULONG(Status)
  1496. LOGUSTR(ServerName));
  1497. }
  1498. }
  1499. UninitializeSecurityContextsForSession((PSMBCE_SESSION)(&ExtendedSession));
  1500. if ( NegInfo.PackageInfo != NULL) {
  1501. FreeContextBuffer(NegInfo.PackageInfo);
  1502. }
  1503. if (OutputBuffer.pvBuffer != NULL) {
  1504. ExFreePool( OutputBuffer.pvBuffer );
  1505. }
  1506. SmbLogError(Status,
  1507. LOG,
  1508. BuildExtendedSessionSetupResponsePrologueFake,
  1509. LOGPTR(pSession)
  1510. LOGULONG(Status));
  1511. }
  1512. return Status;
  1513. }