archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Branch: master
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'master'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/base/lsa/server/credapi.cxx

562 lines
14 KiB
Raw Permalink Normal View History

Add source files
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 1991 - 1992
  6. //
  7. // File: credapi.c
  8. //
  9. // Contents: Credential related APIs to the SPMgr
  10. // - LsaEstablishCreds
  11. // - LsaLogonUser
  12. // - LsaAcquireCredHandle
  13. // - LsaFreeCredHandle
  14. //
  15. //
  16. // History: 20 May 92 RichardW Commented existing code
  17. //
  18. //------------------------------------------------------------------------
  20. #include <lsapch.hxx>
  21. extern "C"
  22. {
  23. #include "adtp.h"
  24. #include "msaudite.h" // LsaAuditLogon
  25. #include "suppcred.h"
  26. }
  29. //+-------------------------------------------------------------------------
  30. //
  31. // Function: WLsaEstablishCreds
  32. //
  33. // Synopsis: Establishes credentials for a process.
  34. //
  35. // Effects:
  36. //
  37. // Arguments:
  38. //
  39. // Requires:
  40. //
  41. // Returns:
  42. //
  43. // Notes:
  44. //
  45. //--------------------------------------------------------------------------
  46. NTSTATUS
  47. WLsaEstablishCreds( PSECURITY_STRING pName,
  48. PSECURITY_STRING pSecPackage,
  49. DWORD cbKey,
  50. PBYTE pbKey,
  51. PCredHandle pcredHandle,
  52. PTimeStamp ptsExpiry)
  53. {
  55. return(SEC_E_UNSUPPORTED_FUNCTION);
  57. }
  60. //+-------------------------------------------------------------------------
  61. //
  62. // Function: WLsaAcquireCredHandle
  63. //
  64. // Synopsis:
  65. //
  66. // Effects:
  67. //
  68. // Arguments:
  69. //
  70. // Requires:
  71. //
  72. // Returns:
  73. //
  74. // Notes:
  75. //
  76. //--------------------------------------------------------------------------
  78. NTSTATUS
  79. WLsaAcquireCredHandle( PSECURITY_STRING pPrincipal,
  80. PSECURITY_STRING pSecPackage,
  81. DWORD fCredentialUse,
  82. PLUID pLogonID,
  83. PVOID pvAuthData,
  84. PVOID pvGetKeyFn,
  85. PVOID pvGetKeyArgument,
  86. PCredHandle phCredential,
  87. PTimeStamp ptsExpiry)
  88. {
  89. PLSAP_SECURITY_PACKAGE pspPackage;
  90. NTSTATUS scRet;
  91. LUID CallerLogonID;
  92. PSession pSession = GetCurrentSession();
  93. SECPKG_CLIENT_INFO ClientInfo;
  94. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  96. //
  97. // Check if the caller is restricted
  98. //
  99. scRet = LsapGetClientInfo(&ClientInfo);
  100. if (!NT_SUCCESS(scRet))
  101. {
  102. DebugLog((DEB_ERROR,"Failed to get client info: 0x%x\n",scRet));
  103. return(scRet);
  104. }
  106. //
  107. // If the caller is restricted, fail the call for now. This should change
  108. // if packages are able to support restrictions. In that case, the call
  109. // should check the package capabilities for handling restrictions and
  110. // if it supports restrictions, allow the call to continue.
  111. //
  113. if (ClientInfo.Restricted)
  114. {
  115. DebugLog((DEB_WARN,"Trying to acquire credentials with a restrictred token\n"));
  116. scRet = SEC_E_NO_CREDENTIALS;
  117. return(scRet);
  118. }
  120. #if DBG
  121. if (pPrincipal->Length)
  122. {
  123. DebugLog((DEB_TRACE_WAPI, "[%x] AcquireCredentialHandle(%ws, %ws)\n",
  124. pSession->dwProcessID, pPrincipal->Buffer, pSecPackage->Buffer));
  125. }
  126. else
  127. {
  128. DebugLog((DEB_TRACE_WAPI, "[%x] AcquireCredHandle(%x:%x, %ws)\n",
  129. pSession->dwProcessID, pLogonID->HighPart, pLogonID->LowPart,
  130. pSecPackage->Buffer));
  131. }
  132. #endif // DBG
  134. phCredential->dwUpper = 0;
  135. phCredential->dwLower = 0xFFFFFFFF;
  136. ptsExpiry->LowPart = 0;
  137. ptsExpiry->HighPart = 0;
  139. pspPackage = SpmpLookupPackageAndRequest(pSecPackage,
  140. SP_ORDINAL_ACQUIRECREDHANDLE);
  141. if (!pspPackage)
  142. {
  143. return(SEC_E_SECPKG_NOT_FOUND);
  144. }
  146. SetCurrentPackageId(pspPackage->dwPackageID);
  148. CallerLogonID = *pLogonID;
  150. StartCallToPackage( pspPackage );
  152. __try
  153. {
  154. scRet = pspPackage->FunctionTable.AcquireCredentialsHandle(pPrincipal,
  155. fCredentialUse,
  156. &CallerLogonID,
  157. pvAuthData,
  158. pvGetKeyFn,
  159. pvGetKeyArgument,
  160. &phCredential->dwUpper,
  161. ptsExpiry);
  162. }
  163. __except (SP_EXCEPTION)
  164. {
  165. scRet = GetExceptionCode();
  166. scRet = SPException(scRet, pspPackage->dwPackageID);
  167. }
  169. EndCallToPackage( pspPackage );
  171. if (FAILED(scRet))
  172. {
  173. DebugLog((DEB_WARN, "Failed to acquire cred handle for %ws with %ws\n",
  174. pPrincipal->Buffer, pSecPackage->Buffer));
  175. return(scRet);
  176. }
  178. phCredential->dwLower = pspPackage->dwPackageID;
  180. if(!AddCredHandle(pSession, phCredential, 0))
  181. {
  182. DebugLog(( DEB_ERROR, "Failed adding credential handle %p:%p to session %p\n",
  183. phCredential->dwUpper, phCredential->dwLower,
  184. pSession ));
  186. pspPackage = SpmpLookupPackageAndRequest(pSecPackage,
  187. SP_ORDINAL_FREECREDHANDLE);
  189. if( pspPackage )
  190. {
  191. ULONG OldCallCount = CallInfo->CallInfo.CallCount;
  193. CallInfo->CallInfo.CallCount = 1 ;
  196. //
  197. // remove the handle from the underlying package.
  198. //
  200. StartCallToPackage( pspPackage );
  202. __try
  203. {
  204. pspPackage->FunctionTable.FreeCredentialsHandle(
  205. phCredential->dwUpper
  206. );
  207. }
  208. __except (SP_EXCEPTION)
  209. {
  210. NOTHING;
  211. }
  213. EndCallToPackage( pspPackage );
  215. CallInfo->CallInfo.CallCount = OldCallCount;
  217. }
  219. phCredential->dwLower = 0;
  220. phCredential->dwUpper = 0;
  222. return SEC_E_INSUFFICIENT_MEMORY;
  223. }
  225. LsapLogCallInfo( CallInfo, pSession, *phCredential );
  227. return(scRet);
  228. }
  231. NTSTATUS
  232. WLsaAddCredentials(
  233. PCredHandle phCredential,
  234. PSECURITY_STRING pPrincipal,
  235. PSECURITY_STRING pSecPackage,
  236. DWORD fCredentialUse,
  237. PVOID pvAuthData,
  238. PVOID pvGetKeyFn,
  239. PVOID pvGetKeyArgument,
  240. PTimeStamp ptsExpiry)
  241. {
  242. PLSAP_SECURITY_PACKAGE pspPackage;
  243. NTSTATUS scRet;
  244. LUID CallerLogonID;
  245. PSession pSession = GetCurrentSession();
  246. SECPKG_CLIENT_INFO ClientInfo;
  247. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  248. PVOID CredKey ;
  250. //
  251. // Check if the caller is restricted
  252. //
  253. scRet = LsapGetClientInfo(&ClientInfo);
  254. if (!NT_SUCCESS(scRet))
  255. {
  256. DebugLog((DEB_ERROR,"Failed to get client info: 0x%x\n",scRet));
  257. return(scRet);
  258. }
  260. //
  261. // If the caller is restricted, fail the call for now. This should change
  262. // if packages are able to support restrictions. In that case, the call
  263. // should check the package capabilities for handling restrictions and
  264. // if it supports restrictions, allow the call to continue.
  265. //
  267. if (ClientInfo.Restricted)
  268. {
  269. DebugLog((DEB_WARN,"Trying to acquire credentials with a restrictred token\n"));
  270. scRet = SEC_E_NO_CREDENTIALS;
  271. return(scRet);
  272. }
  274. #if DBG
  275. if (pPrincipal->Length)
  276. {
  277. DebugLog((DEB_TRACE_WAPI, "[%x] AddCredentials(%ws, %ws)\n",
  278. pSession->dwProcessID, pPrincipal->Buffer, pSecPackage->Buffer));
  279. }
  280. else
  281. {
  282. DebugLog((DEB_TRACE_WAPI, "[%x] AddCredentials(%ws)\n",
  283. pSession->dwProcessID,
  284. pSecPackage->Buffer));
  285. }
  286. #endif // DBG
  288. ptsExpiry->LowPart = 0;
  289. ptsExpiry->HighPart = 0;
  291. LsapLogCallInfo( CallInfo, pSession, *phCredential );
  293. scRet = ValidateCredHandle(
  294. pSession,
  295. phCredential,
  296. &CredKey );
  298. if ( NT_SUCCESS( scRet ) )
  299. {
  300. pspPackage = SpmpValidRequest( phCredential->dwLower,
  301. SP_ORDINAL_ADDCREDENTIALS );
  302. }
  303. else
  304. {
  305. DsysAssert( (pSession->fSession & SESFLAG_KERNEL) == 0 );
  307. return( SEC_E_INVALID_HANDLE );
  308. }
  310. if (!pspPackage)
  311. {
  312. return(SEC_E_SECPKG_NOT_FOUND);
  313. }
  315. SetCurrentPackageId(pspPackage->dwPackageID);
  317. StartCallToPackage( pspPackage );
  319. __try
  320. {
  321. scRet = pspPackage->FunctionTable.AddCredentials(
  322. phCredential->dwUpper,
  323. pPrincipal,
  324. pSecPackage,
  325. fCredentialUse,
  326. pvAuthData,
  327. pvGetKeyFn,
  328. pvGetKeyArgument,
  329. ptsExpiry);
  330. }
  331. __except (SP_EXCEPTION)
  332. {
  333. scRet = GetExceptionCode();
  334. scRet = SPException(scRet, pspPackage->dwPackageID);
  335. }
  337. EndCallToPackage( pspPackage );
  339. if (FAILED(scRet))
  340. {
  341. DebugLog((DEB_WARN, "Failed to add credentials for %ws with %ws\n",
  342. pPrincipal->Buffer, pSecPackage->Buffer));
  343. return(scRet);
  344. }
  346. LsapLogCallInfo( CallInfo, pSession, *phCredential );
  348. return(scRet);
  349. }
  355. //+-------------------------------------------------------------------------
  356. //
  357. // Function: WLsaFreeCredHandle
  358. //
  359. // Synopsis: Worker function to free a cred handle,
  360. //
  361. // Effects: calls into a package to free the handle
  362. //
  363. // Arguments:
  364. //
  365. // Requires:
  366. //
  367. // Returns:
  368. //
  369. // Notes:
  370. //
  371. //--------------------------------------------------------------------------
  372. NTSTATUS
  373. WLsaFreeCredHandle( PCredHandle phCreds)
  374. {
  375. NTSTATUS scRet;
  376. PSession pSession = GetCurrentSession();
  377. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  378. PLSAP_SECURITY_PACKAGE pPackage;
  381. IsOkayToExec(0);
  383. DebugLog((DEB_TRACE_WAPI, "[%x] WLsaFreeCredHandle(%p : %p)\n",
  384. pSession->dwProcessID, phCreds->dwUpper, phCreds->dwLower));
  386. scRet = ValidateAndDerefCredHandle( pSession, phCreds );
  388. if ( !NT_SUCCESS( scRet ) )
  389. {
  390. if ( ( CallInfo->Flags & CALL_FLAG_NO_HANDLE_CHK ) == 0 )
  391. {
  392. DsysAssert( (pSession->fSession & SESFLAG_KERNEL) == 0 );
  393. }
  394. }
  396. LsapLogCallInfo( CallInfo, pSession, *phCreds );
  398. if (SUCCEEDED(scRet))
  399. {
  400. phCreds->dwUpper = phCreds->dwLower = 0xFFFFFFFF;
  401. }
  403. return(scRet);
  405. }
  410. //+-------------------------------------------------------------------------
  411. //
  412. // Function: SpmpFreePrimaryCredentials
  413. //
  414. // Synopsis: Frees primary credentials allocated with LsapAllocateLsaHeap
  415. //
  416. // Effects:
  417. //
  418. // Arguments:
  419. //
  420. // Requires:
  421. //
  422. // Returns:
  423. //
  424. // Notes:
  425. //
  426. //
  427. //--------------------------------------------------------------------------
  430. VOID
  431. SpmpFreePrimaryCredentials(
  432. IN PSECPKG_PRIMARY_CRED PrimaryCred
  433. )
  434. {
  436. if (PrimaryCred->DownlevelName.Buffer != NULL)
  437. {
  438. LsapFreeLsaHeap(PrimaryCred->DownlevelName.Buffer);
  439. PrimaryCred->DownlevelName.Buffer = NULL;
  440. }
  441. if (PrimaryCred->DomainName.Buffer != NULL)
  442. {
  443. LsapFreeLsaHeap(PrimaryCred->DomainName.Buffer);
  444. PrimaryCred->DomainName.Buffer = NULL;
  445. }
  446. if (PrimaryCred->DnsDomainName.Buffer != NULL)
  447. {
  448. LsapFreeLsaHeap(PrimaryCred->DnsDomainName.Buffer);
  449. PrimaryCred->DnsDomainName.Buffer = NULL;
  450. }
  451. if (PrimaryCred->Upn.Buffer != NULL)
  452. {
  453. LsapFreeLsaHeap(PrimaryCred->Upn.Buffer);
  454. PrimaryCred->Upn.Buffer = NULL;
  455. }
  456. if (PrimaryCred->Password.Buffer != NULL)
  457. {
  458. LsapFreeLsaHeap(PrimaryCred->Password.Buffer);
  459. PrimaryCred->Password.Buffer = NULL;
  460. }
  461. if (PrimaryCred->LogonServer.Buffer != NULL)
  462. {
  463. LsapFreeLsaHeap(PrimaryCred->LogonServer.Buffer);
  464. PrimaryCred->LogonServer.Buffer = NULL;
  465. }
  466. if (PrimaryCred->UserSid != NULL)
  467. {
  468. LsapFreeLsaHeap(PrimaryCred->UserSid);
  469. PrimaryCred->UserSid = NULL;
  470. }
  471. }
  474. //+-------------------------------------------------------------------------
  475. //
  476. // Function: WLsaQueryCredAttributes
  477. //
  478. // Synopsis: SPMgr worker to query credential attributes
  479. //
  480. // Effects:
  481. //
  482. // Arguments:
  483. //
  484. // Requires:
  485. //
  486. // Returns:
  487. //
  488. // Notes:
  489. //
  490. //
  491. //--------------------------------------------------------------------------
  493. NTSTATUS
  494. WLsaQueryCredAttributes(
  495. PCredHandle phCredentials,
  496. ULONG ulAttribute,
  497. PVOID pBuffer
  498. )
  499. {
  500. NTSTATUS scRet;
  501. PSession pSession = GetCurrentSession();
  502. PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
  503. PLSAP_SECURITY_PACKAGE pPackage;
  504. PVOID CredKey = NULL ;
  507. DebugLog((DEB_TRACE_WAPI, "[%x] WLsaQueryCredAttributes(%p : %p)\n",
  508. pSession->dwProcessID, phCredentials->dwUpper, phCredentials->dwLower));
  510. LsapLogCallInfo( CallInfo, pSession, *phCredentials );
  512. scRet = ValidateCredHandle(
  513. pSession,
  514. phCredentials,
  515. &CredKey );
  517. if ( !NT_SUCCESS( scRet ) )
  518. {
  519. DsysAssert( (pSession->fSession & SESFLAG_KERNEL) == 0 );
  521. return( scRet );
  522. }
  525. pPackage = SpmpValidRequest(phCredentials->dwLower,
  526. SP_ORDINAL_QUERYCREDATTR );
  528. if (pPackage)
  529. {
  531. SetCurrentPackageId(phCredentials->dwLower);
  533. StartCallToPackage( pPackage );
  535. __try
  536. {
  537. scRet = pPackage->FunctionTable.QueryCredentialsAttributes(
  538. phCredentials->dwUpper,
  539. ulAttribute,
  540. pBuffer
  541. );
  543. }
  544. __except (SP_EXCEPTION)
  545. {
  546. scRet = GetExceptionCode();
  547. scRet = SPException(scRet, phCredentials->dwLower);
  548. }
  550. EndCallToPackage( pPackage );
  551. }
  552. else
  553. {
  554. scRet = SEC_E_INVALID_HANDLE;
  555. }
  557. DerefCredHandle( pSession, NULL, CredKey );
  559. return(scRet);
  560. }