|
|
/**********************************************************************//** Microsoft Windows NT **//** Copyright(c) Microsoft Corp., 1993 **//**********************************************************************/
/*
security.c
This module manages security for the Internet Services.
FILE HISTORY: KeithMo 07-Mar-1993 Created. MuraliK 05-Jan-1995 Enable statistics query on RPC to go free.
*/
#include "tcpdllp.hxx"
#pragma hdrstop
#include <string.h>
#if 1 // DBCS
#include <mbstring.h>
#endif
#include <limits.h>
#include "infosec.hxx"
#include <inetsvcs.h>
#include "TokenAcl.hxx"
//
// Token Cache lock. Controls access to the token cache list
//
#define LockTokenCache() EnterCriticalSection( &csTokenCacheLock )
#define UnlockTokenCache() LeaveCriticalSection( &csTokenCacheLock )
//
// The check period for how long a token can be in the cache. Tokens can
// be in the cache for up to two times this value (in seconds)
//
#define DEFAULT_CACHED_TOKEN_TTL (15 * 60)
//
// Globals
//
CRITICAL_SECTION csTokenCacheLock;HANDLE g_hProcessImpersonationToken = NULL;HANDLE g_hProcessPrimaryToken = NULL;BOOL g_fUseSingleToken = FALSE;BOOL g_fAlwaysCheckForDuplicateLogon = FALSE;BOOL g_fUseAdvapi32Logon = FALSE;BOOL g_fCertCheckForRevocation = FALSE;TS_TOKEN g_pctProcessToken;BOOL g_fCertCheckCA = TRUE;HINSTANCE g_hWinTrust = NULL;PFN_WinVerifyTrust g_pfnWinVerifyTrust = NULL;
//
// Well-known SIDs.
//
PSID psidWorld;PSID psidLocalSystem;PSID psidAdmins;PSID psidServerOps;PSID psidPowerUsers;PSID g_psidGuestUser;PSID g_psidProcessUser;
# define GUEST_USER_SID_BUFFER_LEN (200)
BYTE g_GuestUserSidBuffer[GUEST_USER_SID_BUFFER_LEN];
//
// NT Security
//
BOOL g_fUseNTSecurity = TRUE;
//
// The API security object. Client access to the TCP Server APIs
// are validated against this object.
//
PSECURITY_DESCRIPTOR sdApiObject;
LUID g_ChangeNotifyPrivilegeTcbValue;PTOKEN_PRIVILEGES g_pTokPrev = NULL;
//
// This table maps generic rights (like GENERIC_READ) to
// specific rights (like TCP_QUERY_SECURITY).
//
GENERIC_MAPPING TCPApiObjectMapping = { TCP_GENERIC_READ, // generic read
TCP_GENERIC_WRITE, // generic write
TCP_GENERIC_EXECUTE, // generic execute
TCP_ALL_ACCESS // generic all
};
//
// List of cached tokens, the token list lock and the cookie to the token
// scavenger schedule item. The token cache TTL gets converted to msecs
// during startup
//
BOOL IsTokenCacheInitialized = FALSE;LIST_ENTRY TokenCacheList;DWORD dwScheduleCookie = 0;DWORD cmsecTokenCacheTTL = DEFAULT_CACHED_TOKEN_TTL;CHAR g_achComputerName[DNLEN+1];
LIST_ENTRY CredentialCacheList;CRITICAL_SECTION csCredentialCacheLock;
//
// Private prototypes.
//
DWORDCreateWellKnownSids( HINSTANCE hDll );
VOIDFreeWellKnownSids( VOID );
DWORDCreateApiSecurityObject( VOID );
VOIDDeleteApiSecurityObject( VOID );
TS_TOKENValidateUser( PCHAR pszDomainName, PCHAR pszUserName, PCHAR pszPassword, BOOL fAnonymous, BOOL * pfAsGuest, DWORD dwLogonMethod, TCHAR * pszWorkstation, LARGE_INTEGER * pExpiry, BOOL * pfExpiry, BOOL fUseSubAuthIfAnonymous );
VOID EnableTcbPrivilege( VOID );
BOOLBuildAcctDesc( IN const CHAR * pszUser, IN const CHAR * pszDomain, IN const CHAR * pszPwd, IN BOOL fUseSubAuth, OUT CHAR * pchAcctDesc, // must be MAX_ACCT_DESC_LEN
OUT LPDWORD pdwAcctDescLen );
BOOLAddTokenToCache( IN const CHAR * pszUser, IN const CHAR * pszDomain, IN const CHAR * pszPwd, IN BOOL fUseSubAuth, IN HANDLE hToken, IN DWORD dwLogonMethod, OUT CACHED_TOKEN * * ppct, BOOL fCheckAlreadyExist, LPBOOL pfAlreadyExist );
BOOLFindCachedToken( IN const CHAR * pszUser, IN const CHAR * pszDomain, IN const CHAR * pszPwd, IN BOOL fResetTTL, IN BOOL fUseSubAuth, IN DWORD dwLogonMethod, OUT CACHED_TOKEN * * ppct );
VOIDWINAPITokenCacheScavenger( IN VOID * pContext );
extern BOOL g_fIgnoreSC;
//
// Public functions.
//
/*******************************************************************
NAME: InitializeSecurity
SYNOPSIS: Initializes security authentication & impersonation routines.
RETURNS: DWORD - NO_ERROR if successful, otherwise a Win32 error code.
NOTES: This routine may only be called by a single thread of execution; it is not necessarily multi-thread safe.
HISTORY: KeithMo 07-Mar-1993 Created.
********************************************************************/DWORDInitializeSecurity( IN HINSTANCE hDll ){ NTSTATUS ntStatus; HANDLE hAsExe; DWORD err; DWORD nName; HANDLE hAccToken; HKEY hKey; DWORD dwType; DWORD dwValue; DWORD nBytes;
//
// Read the registry key to see whether tsunami caching is enabled
//
err = RegOpenKeyEx( HKEY_LOCAL_MACHINE, INETA_PARAMETERS_KEY, 0, KEY_READ, &hKey );
if ( err == ERROR_SUCCESS ) { nBytes = sizeof(dwValue); err = RegQueryValueEx( hKey, INETA_W3ONLY_NO_AUTH, NULL, &dwType, (LPBYTE)&dwValue, &nBytes );
if ( (err == ERROR_SUCCESS) && (dwType == REG_DWORD) ) { g_fW3OnlyNoAuth = (BOOL)!!dwValue; if ( g_fW3OnlyNoAuth ) { DbgPrint("W3OnlyNoAuth set to TRUE in Registry.\n"); } else { DbgPrint("W3OnlyNoAuth set to FALSE in Registry.\n"); } }
nBytes = sizeof(dwValue); err = RegQueryValueEx( hKey, INETA_ALWAYS_CHECK_FOR_DUPLICATE_LOGON, NULL, &dwType, (LPBYTE)&dwValue, &nBytes );
if ( (err == ERROR_SUCCESS) && (dwType == REG_DWORD) ) { g_fAlwaysCheckForDuplicateLogon = (BOOL)dwValue; }
nBytes = sizeof(dwValue); err = RegQueryValueEx( hKey, INETA_USE_ADVAPI32_LOGON, NULL, &dwType, (LPBYTE)&dwValue, &nBytes );
if ( (err == ERROR_SUCCESS) && (dwType == REG_DWORD) ) { g_fUseAdvapi32Logon = (BOOL)dwValue; }
nBytes = sizeof(dwValue); err = RegQueryValueEx( hKey, INETA_CHECK_CERT_REVOCATION, NULL, &dwType, (LPBYTE)&dwValue, &nBytes );
if ( (err == ERROR_SUCCESS) && (dwType == REG_DWORD) ) { g_fCertCheckForRevocation = (BOOL)dwValue; }
nBytes = sizeof(dwValue); err = RegQueryValueEx( hKey, "CertCheckCA", NULL, &dwType, (LPBYTE)&dwValue, &nBytes );
if ( (err == ERROR_SUCCESS) && (dwType == REG_DWORD) ) { g_fCertCheckCA = (BOOL)dwValue; }
RegCloseKey( hKey ); }
IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "Initializing security\n" )); }
IsTokenCacheInitialized = TRUE; InitializeListHead( &TokenCacheList ); INITIALIZE_CRITICAL_SECTION( &csTokenCacheLock );
InitializeListHead( &CredentialCacheList ); INITIALIZE_CRITICAL_SECTION( &csCredentialCacheLock );
if ( g_fW3OnlyNoAuth ) { DBGPRINTF((DBG_CONTEXT, "InitializeSecurity: NT Security disabled for W3OnlyNoAuth\n"));
g_fUseSingleToken = TRUE;
if ( !(g_pctProcessToken = new CACHED_TOKEN) ) { return ERROR_NOT_ENOUGH_MEMORY; }
g_pctProcessToken->_cRef = INT_MAX/2; InitializeListHead( &g_pctProcessToken->_ListEntry );
if ( !OpenProcessToken ( GetCurrentProcess(), TOKEN_DUPLICATE|TOKEN_IMPERSONATE|TOKEN_QUERY, &hAccToken ) ) { DBGPRINTF((DBG_CONTEXT, "fail OpenProcessToken\n")); return GetLastError(); }
if ( !pfnDuplicateTokenEx( hAccToken, 0, NULL, SecurityImpersonation, TokenPrimary, &g_hProcessPrimaryToken )) { DBGPRINTF((DBG_CONTEXT, "fail pfnDuplicateTokenEx primary\n")); CloseHandle( hAccToken ); return GetLastError(); }
if ( !pfnDuplicateTokenEx( hAccToken, 0, NULL, SecurityImpersonation, TokenImpersonation, &g_hProcessImpersonationToken )) { DBGPRINTF((DBG_CONTEXT, "fail pfnDuplicateTokenEx impersonate\n")); CloseHandle( hAccToken ); CloseHandle( g_hProcessPrimaryToken ); return GetLastError(); }
err = CreateWellKnownSids( hDll );
if ( err != NO_ERROR ) { DBGPRINTF((DBG_CONTEXT,"CreateWellKnownSids failed with %d\n",err)); goto exit; }
//
// Create the API security object.
//
err = CreateApiSecurityObject();
if ( err != NO_ERROR ) { DBGPRINTF((DBG_CONTEXT,"CreateApiSecurityObjects failed with %d\n",err)); goto exit; }
g_pctProcessToken->_hToken = g_hProcessPrimaryToken; g_pctProcessToken->m_hImpersonationToken = g_hProcessImpersonationToken;
return(NO_ERROR); }
if ( TsIsWindows95() ) { g_fIgnoreSC = TRUE; g_fUseNTSecurity = FALSE; return(NO_ERROR); }
//
// See if we should ignore the service controller (useful for running
// as an .exe). Inetsvcs.exe creates an event with this name. So
// if the semaphore creation fails, then we know we're running as an .exe.
//
if ( !(hAsExe = CreateSemaphore( NULL, 1, 1, IIS_AS_EXE_OBJECT_NAME ))) { g_fIgnoreSC = (GetLastError() == ERROR_INVALID_HANDLE); } else { DBG_REQUIRE( CloseHandle( hAsExe ) ); }
if ( g_fIgnoreSC ) { //
// If the service is running as an .exe, we need to enable
// the SeTcbPrivilege (Act as part of the operating system).
// We don't worry about disabling the privilege as this is
// only used in test debug code
//
EnableTcbPrivilege(); }
//
// Create well-known SIDs.
//
err = CreateWellKnownSids( hDll );
if ( err != NO_ERROR ) { DBGPRINTF((DBG_CONTEXT,"CreateWellKnownSids failed with %d\n",err)); goto exit; }
//
// Create the API security object.
//
err = CreateApiSecurityObject();
if ( err != NO_ERROR ) { DBGPRINTF((DBG_CONTEXT,"CreateApiSecurityObjects failed with %d\n",err)); goto exit; }
{ HKEY hkey;
//
// Get the default token TTL, must be at least one second
//
if ( !RegOpenKeyEx( HKEY_LOCAL_MACHINE, INETA_PARAMETERS_KEY, 0, KEY_READ, &hkey )) {
cmsecTokenCacheTTL = ReadRegistryDword( hkey, "UserTokenTTL", DEFAULT_CACHED_TOKEN_TTL);
RegCloseKey( hkey ); }
cmsecTokenCacheTTL = max( 1, cmsecTokenCacheTTL ); cmsecTokenCacheTTL *= 1000;
IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "Scheduling token cached scavenger to %d seconds\n", cmsecTokenCacheTTL/1000 )); }
//
// Schedule a work item for the token scavenger
//
dwScheduleCookie = ScheduleWorkItem( TokenCacheScavenger, NULL, cmsecTokenCacheTTL, TRUE ); // Periodic
}
pfnLogon32Initialize( NULL, DLL_PROCESS_ATTACH, NULL );
if ( g_pTokPrev = (PTOKEN_PRIVILEGES)LocalAlloc( LMEM_FIXED, sizeof(TOKEN_PRIVILEGES) + sizeof(LUID_AND_ATTRIBUTES)) ) { if ( !LookupPrivilegeValue( NULL, "SeChangeNotifyPrivilege", &g_ChangeNotifyPrivilegeTcbValue ) ) { g_pTokPrev->PrivilegeCount = 0; } else { g_pTokPrev->PrivilegeCount = 1;
g_pTokPrev->Privileges[0].Luid = g_ChangeNotifyPrivilegeTcbValue; g_pTokPrev->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; } }
nName = sizeof(g_achComputerName); if ( !GetComputerName( g_achComputerName, &nName ) ) { g_achComputerName[0] = '\0'; }
g_hWinTrust = LoadLibrary( "wintrust.dll" ); if ( g_hWinTrust != NULL ) { g_pfnWinVerifyTrust = (PFN_WinVerifyTrust)GetProcAddress( g_hWinTrust, "WinVerifyTrust" ); }
//
// Success!
//
IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "Security initialized\n" )); }
exit: return err;
} // InitializeSecurity
/*******************************************************************
NAME: TerminateSecurity
SYNOPSIS: Terminate security authentication & impersonation routines.
NOTES: This routine may only be called by a single thread of execution; it is not necessarily multi-thread safe.
HISTORY: KeithMo 07-Mar-1993 Created.
********************************************************************/VOIDTerminateSecurity( VOID ){ CACHED_TOKEN * pct; CACHED_CREDENTIAL * pcred;
DBGPRINTF((DBG_CONTEXT,"TerminateSecurity called\n"));
IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "Terminating security\n" )); }
//
// Delete any tokens still in the cache
//
if ( IsTokenCacheInitialized ) {
LockTokenCache();
while ( !IsListEmpty( &TokenCacheList )) { pct = CONTAINING_RECORD( TokenCacheList.Flink, CACHED_TOKEN, _ListEntry );
RemoveEntryList( &pct->_ListEntry ); pct->_ListEntry.Flink = NULL;
//
// If the ref count isn't zero then somebody didn't delete all of
// their tokens
//
DBG_ASSERT( pct->_cRef == 1 );
CACHED_TOKEN::Dereference( pct ); }
UnlockTokenCache();
DeleteCriticalSection( &csTokenCacheLock ); }
//
// Delete any credential in the cache
//
EnterCriticalSection( &csCredentialCacheLock );
while ( !IsListEmpty( &CredentialCacheList )) { pcred = CONTAINING_RECORD( CredentialCacheList.Flink, CACHED_CREDENTIAL, _ListEntry );
RemoveEntryList( &pcred->_ListEntry ); pcred->_ListEntry.Flink = NULL;
delete pcred; }
LeaveCriticalSection( &csCredentialCacheLock );
DeleteCriticalSection( &csCredentialCacheLock );
if ( g_fUseSingleToken ) { CloseHandle( g_hProcessImpersonationToken ); CloseHandle( g_hProcessPrimaryToken ); delete g_pctProcessToken; return; }
if ( !g_fUseNTSecurity ) { return; }
FreeWellKnownSids(); DeleteApiSecurityObject();
//
// Remove the scheduled scavenger
//
if ( dwScheduleCookie ) { RemoveWorkItem( dwScheduleCookie ); }
if ( g_pTokPrev ) { LocalFree( g_pTokPrev ); g_pTokPrev = NULL; }
if ( g_hWinTrust != NULL ) { g_pfnWinVerifyTrust = NULL; FreeLibrary( g_hWinTrust ); g_hWinTrust = NULL; }
pfnLogon32Initialize( NULL, DLL_PROCESS_DETACH, NULL );
IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "Security terminated\n" )); }} // TerminateSecurity
/*******************************************************************
NAME: TsLogonUser
SYNOPSIS: Validates a user's credentials, then sets the impersonation for the current thread. In effect, the current thread "becomes" the user.
ENTRY: pUserData - The user initiating the request (NULL for the default account).
pszPassword - The user's password. May be NULL.
pfAsGuest - Will receive TRUE if the user was validated with guest privileges.
pfAsAnonymous - Will receive TRUE if the user received the services anonymous token
pszWorkstation - workstation name for remote user can be NULL if default ( local computer) to be used
pExpiry - updated with pwd expiration date/time
pfExpiryAvailable - updated with TRUE if pwd expiration date/time available
RETURNS: HANDLE - Token handle to use for impersonation or NULL if the user couldn't be validated. Call GetLastError for more information.
HISTORY: KeithMo 18-Mar-1993 Created. Johnl 14-Oct-1994 Mutilated for TCPSvcs
********************************************************************/
TS_TOKENTsLogonUser( IN CHAR * pszUser, IN CHAR * pszPassword, OUT BOOL * pfAsGuest, OUT BOOL * pfAsAnonymous, IN PIIS_SERVER_INSTANCE psi, PTCP_AUTHENT_INFO pTAI, IN CHAR * pszWorkstation, OUT LARGE_INTEGER * pExpiry, OUT BOOL * pfExpiryAvailable ){ CHAR szAnonPwd[PWLEN+1]; CHAR szDomainAndUser[IIS_DNLEN+UNLEN+2]; CHAR szAnonUser[UNLEN+1]; CHAR * pszUserOnly; CHAR * pszDomain; TS_TOKEN hToken; BOOL fUseDefaultDomain = TRUE; TCP_AUTHENT_INFO InstanceAuthentInfo;
if ( g_fUseSingleToken ) { *pfAsGuest = TRUE; *pfAsAnonymous = TRUE; *pfExpiryAvailable = FALSE; CACHED_TOKEN::Reference( g_pctProcessToken ); return g_pctProcessToken; }
//
// if no NT Security, bail
//
if ( !g_fUseNTSecurity ) { *pfAsGuest = TRUE; *pfAsAnonymous = TRUE; *pfExpiryAvailable = FALSE; return((TS_TOKEN)BOGUS_WIN95_TOKEN); }
// If the client didn't pass in metabase info, grab what we need from
// the instance.
//
if (pTAI == NULL) { InstanceAuthentInfo.strAnonUserName.Copy( "iusr_xxx" ); //(CHAR *)psi->QueryAnonUserName();
InstanceAuthentInfo.strAnonUserPassword.Copy( "" ); InstanceAuthentInfo.strDefaultLogonDomain.Copy( "" ); //(CHAR *)psi->QueryDefaultLogonDomain();
InstanceAuthentInfo.dwLogonMethod = MD_LOGON_INTERACTIVE; //psi->QueryLogonMethod();
InstanceAuthentInfo.fDontUseAnonSubAuth = FALSE; pTAI = &InstanceAuthentInfo; } //
// Make a quick copy of the anonymous user for this server for later
// usage
//
memcpy( szAnonUser, pTAI->strAnonUserName.QueryStr(), pTAI->strAnonUserName.QueryCCH() + sizeof(CHAR) );
memcpy( szAnonPwd, pTAI->strAnonUserPassword.QueryStr(), pTAI->strAnonUserPassword.QueryCCH() + sizeof(CHAR) );
//
// Empty user defaults to the anonymous user
//
if ( !pszUser || *pszUser == '\0' ) { pszUser = szAnonUser; pszPassword = szAnonPwd; fUseDefaultDomain = FALSE; *pfAsAnonymous = TRUE; } else { *pfAsAnonymous = FALSE; }
//
// Validate parameters & state.
//
if ( strlen(pszUser) >= sizeof(szDomainAndUser) ) { SetLastError( ERROR_INVALID_PARAMETER ); return NULL; }
DBG_ASSERT( pfAsGuest != NULL ); DBG_ASSERT( pfAsAnonymous != NULL );
if( pszPassword == NULL ) { pszPassword = ""; } else { if ( strlen(pszPassword) >= PWLEN ) { SetLastError( ERROR_INVALID_PARAMETER ); return NULL; } }
//
// Save a copy of the domain\user so we can squirrel around
// with it a bit.
//
int cL = 0; PCSTR pL = NULL;
//
// prepend default logon domain if no domain
// and the default user name was not used
//
if ( fUseDefaultDomain && strchr( pszUser, '/' ) == NULL#if 1 // DBCS enabling for user name
&& _mbschr( (PUCHAR)pszUser, '\\' ) == NULL )#else
&& strchr( pszUser, '\\' ) == NULL )#endif
{ PCSTR pD = pTAI->strDefaultLogonDomain.QueryStr(); if ( pD[0] != '\0' ) {#if 1 // DBCS enabling for user name
if ( !( pL = (PCHAR)_mbschr( (PUCHAR)pD, '\\' ) ) )#else
if ( !( pL = strchr( pD, '\\' ) ) )#endif
{ cL = strlen( pD ); memcpy( szDomainAndUser, pD, cL ); szDomainAndUser[ cL++ ] = '\\'; } } }
if( pL ) { //
// Handle UPN case
//
pszUserOnly = pszUser; pszDomain = ""; } else { strcpy( szDomainAndUser + cL, pszUser );
//
// Crack the name into domain/user components.
//
if ( !CrackUserAndDomain( szDomainAndUser, &pszUserOnly, &pszDomain )) { return NULL; } }
//
// Validate the domain/user/password combo and create
// an impersonation token.
//
hToken = ValidateUser( pszDomain, pszUserOnly, pszPassword, *pfAsAnonymous, pfAsGuest, pTAI->dwLogonMethod, pszWorkstation, pExpiry, pfExpiryAvailable, !pTAI->fDontUseAnonSubAuth );
ZeroMemory( szAnonPwd, strlen(szAnonPwd) );
if( hToken == NULL ) { STR strError; const CHAR * psz[2]; DWORD dwErr = GetLastError();
psi->LoadStr( strError, dwErr, FALSE );
psz[0] = pszUser; psz[1] = strError.QueryStr();
psi->m_Service->LogEvent( INET_SVCS_FAILED_LOGON, 2, psz, dwErr );
//
// Validation failure.
//
if ( dwErr == ERROR_LOGON_TYPE_NOT_GRANTED || dwErr == ERROR_ACCOUNT_DISABLED ) { SetLastError( ERROR_ACCESS_DENIED ); } else { //
// Reset LastError(), as LogEvent() may have overwritten it
// e.g log is full
//
SetLastError( dwErr ); }
return NULL; }
//
// Success!
//
return hToken;
} // LogonUser
/*******************************************************************
NAME: ValidateUser
SYNOPSIS: Validate a given domain/user/password tuple.
ENTRY: pszDomainName - The user's domain (NULL = current).
pszUserName - The user's name.
pszPassword - The user's (plaintext) password.
fAnonymous - TRUE if this is the anonymous user
pfAsGuest - Will receive TRUE if the user was validated with guest privileges.
dwLogonMethod - interactive or batch
pszWorkstation - workstation name for remote user can be NULL if default ( local computer) to be used
pExpiry - updated with pwd expiration date/time
pfExpiryAvailable - updated with TRUE if pwd expiration date/time available
fUseSubAuthIfAnonymous - TRUE if logon anonymous user using IIS sub-auth
RETURNS: HANDLE - An impersonation token, NULL if user cannot be validated. Call GetLastError for more information.
HISTORY: KeithMo 07-Mar-1993 Created.
********************************************************************/TS_TOKEN ValidateUser( PCHAR pszDomainName, PCHAR pszUserName, PCHAR pszPassword, BOOL fAnonymous, BOOL * pfAsGuest, DWORD dwLogonMethod, CHAR * pszWorkstation, LARGE_INTEGER * pExpiry, BOOL * pfExpiryAvailable, BOOL fUseSubAuthIfAnonymous ){ CACHED_TOKEN * pct = NULL; HANDLE hToken; HANDLE hImpersonationToken = NULL; BOOL fExpiry = FALSE; DWORD dwSubAuth = 0; CHAR achCookie[32]; BOOL fExist;
if ( pfExpiryAvailable ) { *pfExpiryAvailable = FALSE; }
if ( fAnonymous && fUseSubAuthIfAnonymous ) { if ( !pfnNetUserCookieA( pszUserName, IIS_SUBAUTH_SEED, achCookie, sizeof(achCookie ) ) ) { return FALSE; }
dwSubAuth = IIS_SUBAUTH_ID; pszPassword = achCookie; dwLogonMethod = LOGON32_LOGON_IIS_NETWORK; }
//
// Is it in the cache? References the token if we find it
//
if ( FindCachedToken( pszUserName, pszDomainName, pszPassword, fAnonymous, // Reset the TTL if anonymous
fAnonymous && fUseSubAuthIfAnonymous, dwLogonMethod, &pct )) { *pfAsGuest = pct->IsGuest();
if ( NULL != pExpiry) { memcpy( pExpiry, pct->QueryExpiry(), sizeof(LARGE_INTEGER) ); }
if ( pfExpiryAvailable ) { *pfExpiryAvailable = TRUE; }
return pct; } if ( (dwLogonMethod == LOGON32_LOGON_NETWORK || dwLogonMethod == LOGON32_LOGON_BATCH || dwLogonMethod == LOGON32_LOGON_INTERACTIVE || dwLogonMethod == LOGON32_LOGON_IIS_NETWORK || dwLogonMethod == LOGON32_LOGON_NETWORK_CLEARTEXT ) && !g_fUseAdvapi32Logon ) { if ( !pfnLogonNetUserA( pszUserName, pszDomainName, pszPassword, pszWorkstation, dwSubAuth, dwLogonMethod, LOGON32_PROVIDER_DEFAULT, &hToken, pExpiry )) { if ( fAnonymous && ( GetLastError() == ERROR_LOGON_TYPE_NOT_GRANTED ) && ( dwLogonMethod == LOGON32_LOGON_INTERACTIVE ) ) { // try again
dwLogonMethod = LOGON32_LOGON_BATCH; if ( !pfnLogonNetUserA( pszUserName, pszDomainName, pszPassword, pszWorkstation, dwSubAuth, dwLogonMethod, LOGON32_PROVIDER_DEFAULT, &hToken, pExpiry )) { return NULL; } } else { return NULL; } }
fExpiry = TRUE;
if ( pfExpiryAvailable ) { *pfExpiryAvailable = TRUE; } } else { if ( !LogonUserA( pszUserName, pszDomainName, pszPassword, dwLogonMethod, LOGON32_PROVIDER_WINNT50, &hToken )) { return NULL; } }
if ( dwLogonMethod == LOGON32_LOGON_NETWORK || dwLogonMethod == LOGON32_LOGON_IIS_NETWORK || dwLogonMethod == LOGON32_LOGON_NETWORK_CLEARTEXT ) { hImpersonationToken = hToken;
if ( !pfnDuplicateTokenEx( hImpersonationToken, TOKEN_ALL_ACCESS, NULL, SecurityDelegation, TokenPrimary, &hToken )) { if ( !pfnDuplicateTokenEx( hImpersonationToken, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenPrimary, &hToken )) { CloseHandle( hImpersonationToken ); return NULL; } } }
*pfAsGuest = IsGuestUser(hToken);
//
// Add this new token to the cache, hToken gets replaced by the
// cached token object
//
if ( !AddTokenToCache( pszUserName, pszDomainName, pszPassword, fAnonymous && fUseSubAuthIfAnonymous, hToken, dwLogonMethod, &pct, g_fAlwaysCheckForDuplicateLogon | fAnonymous, &fExist )) { if ( hImpersonationToken != NULL ) { CloseHandle( hImpersonationToken ); } CloseHandle( hToken ); return NULL; }
pct->SetGuest(*pfAsGuest); if ( fExpiry ) { pct->SetExpiry( pExpiry ); }
//
// DuplicateToken() apparently returns an impersonated token
// so it is not necessary to call pfnDuplicateTokenEx
//
if ( !fExist ) { if ( hImpersonationToken == NULL && !pfnDuplicateTokenEx( hToken, // hSourceToken
TOKEN_ALL_ACCESS, NULL, SecurityDelegation, // Obtain impersonation
TokenImpersonation, &hImpersonationToken) // hDestinationToken
) { if ( !pfnDuplicateTokenEx( hToken, // hSourceToken
TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, // Obtain impersonation
TokenImpersonation, &hImpersonationToken) // hDestinationToken
) { hImpersonationToken = NULL; } }
// Bug 86489:
// Grant all access to the token for "Everyone" so that ISAPIs that run out of proc
// can do an OpenThreadToken call
if (FAILED( GrantAllAccessToToken( hImpersonationToken ) ) ) { CloseHandle( hImpersonationToken ); DBG_ASSERT( FALSE ); return NULL; }
pct->SetImpersonationToken( hImpersonationToken); } else if ( hImpersonationToken ) { CloseHandle( hImpersonationToken ); }
return pct;
} // ValidateUser
�# define MAX_TOKEN_USER_INFO (300)
BOOLIsGuestUser(IN HANDLE hToken)/*++
Given a user token, this function determines if the token belongs to a guest user. It returns true if the token is a guest user token.
Arguments: hToken - handle for the Security token for a user.
Returns: BOOL.
History: MuraliK 22-Jan-1996 Created.--*/{ BOOL fGuest = FALSE; BYTE rgbInfo[MAX_TOKEN_USER_INFO]; DWORD cbTotalRequired;
//
// Get the user information associated with the token.
// Using this we can then query to find out if it belongs to a guest user.
//
if (GetTokenInformation( hToken, TokenUser, (LPVOID ) rgbInfo, MAX_TOKEN_USER_INFO, &cbTotalRequired) ) {
TOKEN_USER * pTokenUser = (TOKEN_USER *) rgbInfo; PSID pSid = pTokenUser->User.Sid;
fGuest = EqualSid( pSid, g_psidGuestUser);
} else {
IF_DEBUG( DLL_SECURITY) {
DBGPRINTF(( DBG_CONTEXT, "GetTokenInformation(%08x) failed. Error = %d." " sizeof(TOKEN_USER) = %d, cb = %d\n", hToken, GetLastError(), sizeof(TOKEN_USER), cbTotalRequired )); } }
return ( fGuest);
} // IsGuestUser()
/*******************************************************************
NAME: TsImpersonateUser
SYNOPSIS: Causes the current thread to impersonate the user represented by the given impersonation token.
ENTRY: hToken - A handle to an impersonation token created with ValidateUser. This is actually a pointer to a cached token object.
RETURNS: BOOL - TRUE if successful, FALSE otherwise.
HISTORY: KeithMo 07-Mar-1993 Created. MuraliK 21-Feb-1996 Optimized Token caching
********************************************************************/BOOL TsImpersonateUser( TS_TOKEN hToken ){ HANDLE hTok;
IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "impersonating user token %08lX : Imperonation(%08lx)\n", CTO_TO_TOKEN(hToken), ((CACHED_TOKEN *) hToken)->QueryImpersonationToken() )); }
hTok = ((CACHED_TOKEN *) hToken)->QueryImpersonationToken(); if ( hTok == NULL) { // if there is no impersonation token use the normal token itself.
hTok = CTO_TO_TOKEN(hToken); }
#if DBG
if( !ImpersonateLoggedOnUser( hTok ) ) { DBGPRINTF(( DBG_CONTEXT, "cannot impersonate user token %08lX, error %08lX\n", CTO_TO_TOKEN(hToken), GetLastError() )); return FALSE; }
return TRUE;
# else
return ( ImpersonateLoggedOnUser(hTok));
# endif // DBG
} // TsImpersonateUser
/*******************************************************************
NAME: TsDeleteUserToken
SYNOPSIS: Deletes a token created with ValidateUser.
ENTRY: hToken - An impersonation token created with ValidateUser.
RETURNS: BOOL - TRUE if successful, FALSE otherwise.
HISTORY: KeithMo 07-Mar-1993 Created.
********************************************************************/BOOL TsDeleteUserToken( TS_TOKEN hToken ){ NTSTATUS ntStatus = STATUS_SUCCESS;
if ( hToken != (TS_TOKEN)BOGUS_WIN95_TOKEN ) {
CACHED_TOKEN::Dereference( (CACHED_TOKEN *) hToken ); } return TRUE;} // DeleteUserToken
HANDLETsTokenToHandle( TS_TOKEN hToken )/*++
Description:
Converts the token object into a real impersonation handle
Arguments:
hToken - pointer to cached token object
Returns: Handle of real impersonation token--*/{ DBG_ASSERT( hToken != NULL );
return CTO_TO_TOKEN( hToken );}
HANDLETsTokenToImpHandle( TS_TOKEN hToken )/*++
Description:
Converts the token object into an impersonation handle
Arguments:
hToken - pointer to cached token object
Returns: Handle of impersonation token--*/{ DBG_ASSERT( hToken != NULL );
return CTO_TO_IMPTOKEN( hToken );}
BOOLBuildAnonymousAcctDesc( PTCP_AUTHENT_INFO pTAI )/*++
Routine Description:
Builds the anonymous account description based on the authentication info structure.
Arguments:
pTAI - Pointer to authentication info to build
Returns:
TRUE if Success, FALSE otherwise
--*/{ CHAR szDomainAndUser[IIS_DNLEN+UNLEN+2]; PCHAR pszUserOnly; PCHAR pszDomain; CHAR achAcctDesc[MAX_ACCT_DESC_LEN]; DWORD cbDescLen;
if ( g_fUseSingleToken ) { pTAI->cbAnonAcctDesc = 0; return TRUE; }
strncpy( szDomainAndUser, pTAI->strAnonUserName.QueryStr(), sizeof( szDomainAndUser ) );
szDomainAndUser[sizeof(szDomainAndUser)-1] = '\0';
if ( !CrackUserAndDomain( szDomainAndUser, &pszUserOnly, &pszDomain )) { DBGPRINTF((DBG_CONTEXT, "BuildAnonymousAcctDesc: Call to CrackUserAndDomain failed\n"));
return(FALSE); }
if ( !BuildAcctDesc( pszUserOnly, pszDomain, pTAI->strAnonUserPassword.QueryStr(), !pTAI->fDontUseAnonSubAuth, achAcctDesc, &pTAI->cbAnonAcctDesc ) || !pTAI->bAnonAcctDesc.Resize( pTAI->cbAnonAcctDesc )) { return FALSE; }
memcpy( pTAI->bAnonAcctDesc.QueryPtr(), achAcctDesc, pTAI->cbAnonAcctDesc );
return TRUE;}
BOOLBuildAcctDesc( IN const CHAR * pszUser, IN const CHAR * pszDomain, IN const CHAR * pszPwd, IN BOOL fUseSubAuth, OUT CHAR * pchAcctDesc, OUT LPDWORD pdwAcctDescLen )/*++
Description:
Builds a cache descriptor for account cache
Arguments:
pszUser - User name attempting to logon pszDomain - Domain the user belongs to pszPwd - password (case sensitive) fUseSubAuth - TRUE if sub-authenticator used pchAcctDesc - updated with descriptor pdwAcctDescLen - updated with descriptor length
Returns: TRUE on success, otherwise FALSE
--*/{ if ( fUseSubAuth ) { pszPwd = ""; }
size_t lU = strlen( pszUser ) + 1; size_t lD = strlen( pszDomain ) + 1; size_t lP = strlen( pszPwd ) + 1;
if ( lU > (UNLEN+1) || lD > (IIS_DNLEN+1) || lP > (PWLEN+1) ) { SetLastError( ERROR_INVALID_PARAMETER ); return FALSE; }
*pdwAcctDescLen = (DWORD)(1 + lU + lD + lP);
LPBYTE pD = (BYTE *) pchAcctDesc;
*pD++ = (BYTE)fUseSubAuth;
memcpy( pD, pszUser, lU );#if 1 // DBCS enabling for user name
CharLower( (LPSTR)pD );#else
_strlwr( (LPSTR)pD );#endif
memcpy( pD + lU, pszDomain, lD ); _strlwr( (LPSTR)(pD+lU) );
memcpy( pD + lU + lD, pszPwd, lP );
DBG_ASSERT( (lU + lD + lP) < MAX_ACCT_DESC_LEN ); return TRUE;}
BOOLFindCachedToken( IN const CHAR * pszUser, IN const CHAR * pszDomain, IN const CHAR * pszPwd, IN BOOL fResetTTL, IN BOOL fUseSubAuth, IN DWORD dwLogonMethod, OUT CACHED_TOKEN * * ppct )/*++
Description:
Checks to see if the specified user token handle is cached
Arguments:
pszUser - User name attempting to logon pszDomain - Domain the user belongs to pszPwd - password (case sensitive) fResetTTL - Resets the TTL for this token fUseSubAuth - TRUE if sub-authenticator used dwLogonMethod - Logon method (Batch, Interactive, Network) ppct - Receives token object
Returns: TRUE on success and FALSE if the entry couldn't be found
--*/{ LIST_ENTRY * pEntry; CACHED_TOKEN * pct; CHAR achAcctDesc[MAX_ACCT_DESC_LEN]; DWORD dwAcctDescLen; LPBYTE pAcctDesc;
DBG_ASSERT( pszUser != NULL );
if ( !BuildAcctDesc( pszUser, pszDomain, pszPwd, fUseSubAuth, achAcctDesc, &dwAcctDescLen) ) { return FALSE; }
DBG_ASSERT( dwAcctDescLen < sizeof(achAcctDesc ));
pAcctDesc = (LPBYTE)achAcctDesc;
LockTokenCache();
for ( pEntry = TokenCacheList.Flink; pEntry != &TokenCacheList; pEntry = pEntry->Flink ) { pct = CONTAINING_RECORD( pEntry, CACHED_TOKEN, _ListEntry );
if ( pct->m_dwAcctDescLen == dwAcctDescLen && pct->m_dwLogonMethod == dwLogonMethod && !memcmp( pct->_achAcctDesc, pAcctDesc, dwAcctDescLen ) ) { CACHED_TOKEN::Reference( pct ); *ppct = pct;
//
// Reset the TTL if this is the anonymous user so items in the
// cache don't get invalidated (token handle used as a
// discriminator)
if ( fResetTTL ) { pct->_TTL = 2; }
UnlockTokenCache();
return TRUE; } if( !_stricmp( pct->m_achUserName, pszUser ) && !_stricmp( pct->m_achDomainName, pszDomain ) && pct->m_dwLogonMethod == dwLogonMethod ) { UnlockTokenCache();
RemoveTokenFromCache( pct );
return FALSE; } }
UnlockTokenCache();
return FALSE;
} // FindCachedToken
�TS_TOKENFastFindAnonymousToken( IN PTCP_AUTHENT_INFO pTAI )/*++
Description:
Checks to see if the specified anonymous user token handle is cached.
Don't call this function when using the sub-authenticator!
Arguments:
pTAI - pointer to the anonymous authentication info
Returns: Pointer to the cached object.
--*/{ LIST_ENTRY * pEntry; CACHED_TOKEN * pct;
LockTokenCache();
for ( pEntry = TokenCacheList.Flink; pEntry != &TokenCacheList; pEntry = pEntry->Flink ) {
pct = CONTAINING_RECORD( pEntry, CACHED_TOKEN, _ListEntry );
DBG_ASSERT(pct->m_dwAcctDescLen > 0);
if ( (pct->m_dwAcctDescLen == pTAI->cbAnonAcctDesc ) && RtlEqualMemory( pct->_achAcctDesc, pTAI->bAnonAcctDesc.QueryPtr(), pct->m_dwAcctDescLen ) ) {
CACHED_TOKEN::Reference( pct );
//
// Reset the TTL if this is the anonymous user so items in the
// cache don't get invalidated (token handle used as a
// discriminator)
pct->_TTL = 2;
UnlockTokenCache(); return pct; } }
UnlockTokenCache(); return NULL;} // FastFindAnonymousToken
�BOOLAddTokenToCache( IN const CHAR * pszUser, IN const CHAR * pszDomain, IN const CHAR * pszPwd, IN BOOL fUseSubAuth, IN HANDLE hToken, IN DWORD dwLogonMethod, OUT CACHED_TOKEN * * ppct, BOOL fCheckAlreadyExist, LPBOOL pfExist )/*++
Description:
Adds the specified token to the cache and converts the token handle to a cached token object
Arguments:
pszUser - User name attempting to logon pszDomain - Domain the user belongs to pszPwd - Cast sensitive password fUseSubAuth - TRUE if subauth to be used phToken - Contains the token handle that was just logged on dwLogonMethod - Logon Method ppct - Receives cached token object fCheckAlreadyExist - check if entry with same name already exist pfExist - updated with TRUE if acct already exists
Returns: TRUE on success and FALSE if the entry couldn't be found
--*/{ LIST_ENTRY * pEntry; CACHED_TOKEN * pctF; CACHED_TOKEN * pct; DWORD dwAcctDescLen; BOOL fFound = FALSE; CHAR achAcctDesc[MAX_ACCT_DESC_LEN];
DBG_ASSERT( pszUser != NULL );
if( ( strlen( pszUser ) >= UNLEN ) || ( strlen( pszDomain ) >= IIS_DNLEN ) ) { SetLastError( ERROR_INVALID_PARAMETER ); return FALSE; }
if ( !BuildAcctDesc( pszUser, pszDomain, pszPwd, fUseSubAuth, achAcctDesc, &dwAcctDescLen) ) { return FALSE; }
pct = new CACHED_TOKEN;
if ( !pct ) { SetLastError( ERROR_NOT_ENOUGH_MEMORY ); return FALSE; }
pct->_hToken = hToken; pct->m_hImpersonationToken = NULL; // initialize to invalid value
CopyMemory( pct->_achAcctDesc, achAcctDesc, dwAcctDescLen ); pct->m_dwAcctDescLen = dwAcctDescLen; pct->m_dwLogonMethod = dwLogonMethod; strcpy( pct->m_achUserName, pszUser ); strcpy( pct->m_achDomainName, pszDomain );
//
// Add the token to the list, we check for duplicates at callers's request
//
LockTokenCache();
if ( fCheckAlreadyExist ) { for ( pEntry = TokenCacheList.Flink; pEntry != &TokenCacheList; pEntry = pEntry->Flink ) { pctF = CONTAINING_RECORD( pEntry, CACHED_TOKEN, _ListEntry );
if ( pctF->m_dwAcctDescLen == dwAcctDescLen && !memcmp( pctF->_achAcctDesc, pct->_achAcctDesc, dwAcctDescLen ) && pctF->m_dwLogonMethod == dwLogonMethod ) { fFound = TRUE; break; } } }
*pfExist = fFound;
if ( !fFound ) { InsertHeadList( &TokenCacheList, &pct->_ListEntry ); } else { // delete cache item ( was not yet on list )
CACHED_TOKEN::Dereference( pct );
pct = pctF; }
CACHED_TOKEN::Reference( pct );
UnlockTokenCache();
*ppct = pct;
return TRUE;} // AddTokenToCache
�VOIDRemoveTokenFromCache( IN CACHED_TOKEN * pct){ DBG_ASSERT( pct != NULL); LockTokenCache();
//
// Remove from the list
//
if ( pct->_ListEntry.Flink ) { RemoveEntryList( &pct->_ListEntry ); pct->_ListEntry.Flink = NULL;
//
// Free any handles this user may still have open
//
TsCacheFlushUser( pct->_hToken, FALSE );
CACHED_TOKEN::Dereference( pct ); }
UnlockTokenCache();
return;} // RemoveTokenFromCache()
�VOIDWINAPITokenCacheScavenger( IN VOID * /* pContext */ )/*++
Description:
Decrements TTLs and removes tokens that have timed out
Arguments:
pContext - Not used
--*/{ LIST_ENTRY * pEntry; LIST_ENTRY * pEntryNext; CACHED_TOKEN * pct;
LockTokenCache();
for ( pEntry = TokenCacheList.Flink; pEntry != &TokenCacheList; ) { pEntryNext = pEntry->Flink;
pct = CONTAINING_RECORD( pEntry, CACHED_TOKEN, _ListEntry );
if ( !(--pct->_TTL) ) { IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "[TokenCacheScavenger] Timing out token for %s\n", pct->_achAcctDesc )); }
//
// This item has timed out, remove from the list
//
RemoveEntryList( &pct->_ListEntry ); pct->_ListEntry.Flink = NULL;
//
// Free any handles this user may still have open
//
TsCacheFlushUser( pct->_hToken, FALSE );
CACHED_TOKEN::Dereference( pct ); }
pEntry = pEntryNext; }
UnlockTokenCache();
} // TokenCacheScavenger
BOOLTsGetSecretW( WCHAR * pszSecretName, BUFFER * pbufSecret )/*++
Description:
Retrieves the specified unicode secret
Arguments:
pszSecretName - LSA Secret to retrieve pbufSecret - Receives found secret
Returns: TRUE on success and FALSE if any failure.
--*/{ BOOL fResult; NTSTATUS ntStatus; PUNICODE_STRING punicodePassword = NULL; UNICODE_STRING unicodeSecret; LSA_HANDLE hPolicy; OBJECT_ATTRIBUTES ObjectAttributes;
if ( pfnLsaOpenPolicy == NULL ) { DBGPRINTF((DBG_CONTEXT,"LsaOpenPolicy does not exist on win95\n")); SetLastError(ERROR_CALL_NOT_IMPLEMENTED); return(FALSE); }
//
// Open a policy to the remote LSA
//
InitializeObjectAttributes( &ObjectAttributes, NULL, 0L, NULL, NULL );
ntStatus = pfnLsaOpenPolicy( NULL, &ObjectAttributes, POLICY_ALL_ACCESS, &hPolicy );
if ( !NT_SUCCESS( ntStatus ) ) { SetLastError( pfnLsaNtStatusToWinError( ntStatus ) ); return FALSE; }
InitUnicodeString( &unicodeSecret, pszSecretName );
//
// Query the secret value.
//
ntStatus = pfnLsaRetrievePrivateData( hPolicy, &unicodeSecret, &punicodePassword );
if( NT_SUCCESS(ntStatus) ) { DWORD cbNeeded;
cbNeeded = punicodePassword->Length + sizeof(WCHAR);
if ( !pbufSecret->Resize( cbNeeded ) ) { ntStatus = STATUS_NO_MEMORY; goto Failure; }
CopyMemory( pbufSecret->QueryPtr(), punicodePassword->Buffer, punicodePassword->Length );
*((WCHAR *) pbufSecret->QueryPtr() + punicodePassword->Length / sizeof(WCHAR)) = L'\0';
ZeroMemory( punicodePassword->Buffer, punicodePassword->MaximumLength );
}
Failure:
fResult = NT_SUCCESS(ntStatus);
//
// Cleanup & exit.
//
if( punicodePassword != NULL ) { pfnLsaFreeMemory( (PVOID)punicodePassword ); }
pfnLsaClose( hPolicy );
if ( !fResult ) { SetLastError( pfnLsaNtStatusToWinError( ntStatus )); }
return fResult;} // TsGetSecretW
�DWORDTsSetSecretW( IN LPWSTR SecretName, IN LPWSTR pSecret, IN DWORD cbSecret )/*++
Description
Sets the specified LSA secret
Arguments:
SecretName - Name of the LSA secret pSecret - Pointer to secret memory cbSecret - Size of pSecret memory block
Note:
--*/{ LSA_HANDLE hPolicy; UNICODE_STRING unicodePassword; UNICODE_STRING unicodeServer; NTSTATUS ntStatus; OBJECT_ATTRIBUTES ObjectAttributes; UNICODE_STRING unicodeSecret;
InitUnicodeString( &unicodeServer, L"" );
//
// Initialize the unicode string by hand so we can handle '\0' in the
// string
//
unicodePassword.Buffer = pSecret; unicodePassword.Length = (USHORT) cbSecret; unicodePassword.MaximumLength = (USHORT) cbSecret;
//
// Open a policy to the remote LSA
//
InitializeObjectAttributes( &ObjectAttributes, NULL, 0L, NULL, NULL );
ntStatus = pfnLsaOpenPolicy( &unicodeServer, &ObjectAttributes, POLICY_ALL_ACCESS, &hPolicy );
if ( !NT_SUCCESS( ntStatus ) ) return pfnLsaNtStatusToWinError( ntStatus );
//
// Create or open the LSA secret
//
InitUnicodeString( &unicodeSecret, SecretName );
ntStatus = pfnLsaStorePrivateData( hPolicy, &unicodeSecret, &unicodePassword );
pfnLsaClose( hPolicy );
if ( !NT_SUCCESS( ntStatus )) { return pfnLsaNtStatusToWinError( ntStatus ); }
return NO_ERROR;} // TsSetSecretW()
/*******************************************************************
NAME: ApiAccessCheck
SYNOPSIS: Impersonate the RPC client, then check for valid access against our server security object.
ENTRY: maskDesiredAccess - Specifies the desired access mask. This mask must not contain generic accesses.
RETURNS: DWORD - NO_ERROR if access granted, ERROR_ACCESS_DENIED if access denied, other Win32 errors if something tragic happened.
HISTORY: KeithMo 26-Mar-1993 Created.
********************************************************************/DWORD TsApiAccessCheck( ACCESS_MASK maskDesiredAccess ){ DWORD err; BOOL fRet;
if ( maskDesiredAccess == TCP_QUERY_STATISTICS) {
//
// Statistics query should be allowed without authentication.
// Any body can bring up perfmon and request statistics.
//
return ( NO_ERROR); }
//
// Impersonate the RPC client.
//
err = (DWORD)RpcImpersonateClient( NULL );
if( err != NO_ERROR ) { IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "cannot impersonate rpc client, error %lu\n", err )); }
} else {
BOOL fAccessStatus; BOOL fGenerateOnClose; ACCESS_MASK maskAccessGranted;
//
// Validate access.
//
if ( g_fUseSingleToken ) { HANDLE hAccToken; BYTE Set[256]; DWORD dwSet = sizeof(Set);
if ( OpenThreadToken( GetCurrentThread(), TOKEN_READ, TRUE, &hAccToken ) ) { fRet = AccessCheck( sdApiObject, hAccToken, maskDesiredAccess, &TCPApiObjectMapping, (PPRIVILEGE_SET)&Set, &dwSet, &maskAccessGranted, &fAccessStatus );
CloseHandle( hAccToken ); } else { fRet = FALSE; } } else { fRet = AccessCheckAndAuditAlarmW( SUBSYSTEM_NAME, NULL, OBJECTTYPE_NAME, OBJECT_NAME, sdApiObject, maskDesiredAccess, &TCPApiObjectMapping, FALSE, &maskAccessGranted, &fAccessStatus, &fGenerateOnClose ); }
if ( !fRet ) {
err = GetLastError(); }
//
// Revert to our former self.
//
DBG_REQUIRE( !RpcRevertToSelf() );
//
// Check the results.
//
if( err != NO_ERROR ) {
IF_DEBUG( DLL_SECURITY ) {
DBGPRINTF(( DBG_CONTEXT, "cannot check access, error %lu\n", err )); } } else if( !fAccessStatus ) {
err = ERROR_ACCESS_DENIED;
IF_DEBUG( DLL_SECURITY ) {
DBGPRINTF(( DBG_CONTEXT, "bad access status, error %lu\n", err )); } } }
return (err);
} // ApiAccessCheck
/*******************************************************************
NAME: CreateWellKnownSids
SYNOPSIS: Create some well-known SIDs used to create a security descriptor for the API security object.
RETURNS: NTSTATUS - An NT Status code.
HISTORY: KeithMo 26-Mar-1993 Created.
********************************************************************/
DWORD CreateWellKnownSids( HINSTANCE hDll ){ DWORD error = NO_ERROR; SID_IDENTIFIER_AUTHORITY siaWorld = SECURITY_WORLD_SID_AUTHORITY; SID_IDENTIFIER_AUTHORITY siaNt = SECURITY_NT_AUTHORITY; BOOL fRet;
fRet = AllocateAndInitializeSid( &siaWorld, 1, SECURITY_WORLD_RID, 0,0,0,0,0,0,0, &psidWorld );
if( fRet ) { fRet = AllocateAndInitializeSid( &siaNt, 1, SECURITY_LOCAL_SYSTEM_RID, 0,0,0,0,0,0,0, &psidLocalSystem ); }
if( fRet ) { fRet = AllocateAndInitializeSid( &siaNt, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0,0,0,0,0,0, &psidAdmins ); }
if( fRet ) { fRet = AllocateAndInitializeSid( &siaNt, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_SYSTEM_OPS, 0,0,0,0,0,0, &psidServerOps ); }
if( fRet ) { fRet = AllocateAndInitializeSid( &siaNt, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_POWER_USERS, 0,0,0,0,0,0, &psidPowerUsers ); }
if( fRet ) { USER_MODALS_INFO_2 * pUsrModals2 = NULL; HINSTANCE hInstance = NULL; NET_USER_MODALS_GET_FN pfnNetUserModalsGet = NULL; NET_API_BUFFER_FREE_FN pfnNetApiBufferFree = NULL;
//
// Construct well-known-sid for Guest User on the local computer
//
// 1) Obtain the sid for the local machine's domain
// 2) copy domain sid to guest user sid
// 3) append DOMAIN_USER_RID_GUEST to the domain sid in GuestUser sid.
//
g_psidGuestUser = (PSID ) g_GuestUserSidBuffer;
hInstance = LoadLibrary("netapi32.dll"); if ( hInstance != NULL ) {
pfnNetUserModalsGet = (NET_USER_MODALS_GET_FN) GetProcAddress(hInstance,"NetUserModalsGet"); pfnNetApiBufferFree = (NET_API_BUFFER_FREE_FN) GetProcAddress(hInstance,"NetApiBufferFree"); }
if ( (pfnNetUserModalsGet != NULL) && (pfnNetApiBufferFree != NULL) ) {
fRet = ( (pfnNetUserModalsGet(NULL, // local computer
2, // get level 2 information
(LPBYTE *) &pUsrModals2 ) == 0) && CopySid(GUEST_USER_SID_BUFFER_LEN - 4,// Buffer len
g_psidGuestUser, // psidDestination
pUsrModals2->usrmod2_domain_id // obtain domain sid.
) ); } else {
DBGPRINTF((DBG_CONTEXT,"Unable to get netapi32 entrypoints\n")); fRet = FALSE; }
//
// if successful append the DOMAIN_USER_RID_GUEST.
//
if ( fRet) {
DWORD lenSid = GetLengthSid( g_psidGuestUser); CHAR nSubAuth;
//
// There is no Win32 way to set a SID value.
// We will munge around on our own.
// Pretty dangerous thing to do :-(
//
// increment the number of sub authorities
nSubAuth = *((UCHAR *) ((UCHAR *) g_psidGuestUser + 1)); nSubAuth++; *((UCHAR *) ((UCHAR *) g_psidGuestUser + 1)) = nSubAuth;
// Store the new sub authority (Domain User Rid for Guest).
*((ULONG *) ((BYTE *) g_psidGuestUser + lenSid)) = DOMAIN_USER_RID_GUEST; } else {
g_psidGuestUser = NULL; }
if ( pUsrModals2 != NULL) {
NET_API_STATUS ns = pfnNetApiBufferFree( (LPVOID )pUsrModals2); pUsrModals2 = NULL; }
if ( hInstance != NULL ) { FreeLibrary(hInstance); } }
if ( fRet && g_fUseSingleToken ) { BYTE abInfo[256]; DWORD dwInfo;
if ( GetTokenInformation( g_hProcessPrimaryToken, TokenUser, abInfo, sizeof(abInfo), &dwInfo ) ) { if ( !(g_psidProcessUser = (PSID)LocalAlloc( LMEM_FIXED, GetLengthSid(((TOKEN_USER*)abInfo)->User.Sid))) ) { fRet = FALSE; } else { memcpy ( g_psidProcessUser, ((TOKEN_USER*)abInfo)->User.Sid, GetLengthSid(((TOKEN_USER*)abInfo)->User.Sid) ); } } else { fRet = FALSE; } }
if ( !fRet ) { error = GetLastError( ); IF_DEBUG( DLL_SECURITY ) { DBGPRINTF(( DBG_CONTEXT, "cannot create well-known sids\n" )); } }
return error;
} // CreateWellKnownSids
/*******************************************************************
NAME: FreeWellKnownSids
SYNOPSIS: Frees the SIDs created with CreateWellKnownSids.
HISTORY: KeithMo 26-Mar-1993 Created.
********************************************************************/VOID FreeWellKnownSids( VOID ){
if( psidWorld != NULL ) { FreeSid( psidWorld ); psidWorld = NULL; }
if( psidLocalSystem != NULL ) { FreeSid( psidLocalSystem ); psidLocalSystem = NULL; }
if( psidAdmins != NULL ) { FreeSid( psidAdmins ); psidAdmins = NULL; }
if( psidServerOps != NULL ) { FreeSid( psidServerOps ); psidServerOps = NULL; }
if( psidPowerUsers != NULL ) { FreeSid( psidPowerUsers ); psidPowerUsers = NULL; }
if( g_psidProcessUser != NULL ) { LocalFree( g_psidProcessUser ); g_psidProcessUser = NULL; }
} // FreeWellKnownSids
/*******************************************************************
NAME: CreateApiSecurityObject
SYNOPSIS: Create an abstract security object used for validating user access to the TCP Server APIs.
RETURNS: NTSTATUS - An NT Status code.
HISTORY: KeithMo 26-Mar-1993 Created.
********************************************************************/DWORD CreateApiSecurityObject( VOID ){ DWORD err; ACE_DATA aces[] = { { ACCESS_ALLOWED_ACE_TYPE, 0, 0, TCP_ALL_ACCESS, &psidLocalSystem },
{ ACCESS_ALLOWED_ACE_TYPE, 0, 0, TCP_ALL_ACCESS, &psidAdmins },
{ ACCESS_ALLOWED_ACE_TYPE, 0, 0, TCP_ALL_ACCESS, &psidServerOps },
{ ACCESS_ALLOWED_ACE_TYPE, 0, 0, TCP_ALL_ACCESS, &psidPowerUsers }, { ACCESS_ALLOWED_ACE_TYPE, 0, 0, TCP_GENERIC_EXECUTE, &psidWorld }, { ACCESS_ALLOWED_ACE_TYPE, 0, 0, TCP_GENERIC_EXECUTE, &g_psidProcessUser },
};
#define NUM_ACES (sizeof(aces) / sizeof(RTL_ACE_DATA))
err = INetCreateSecurityObject( aces, (ULONG)(g_fUseSingleToken ? NUM_ACES : NUM_ACES-1), NULL, NULL, &TCPApiObjectMapping, &sdApiObject );
IF_DEBUG( DLL_SECURITY ) { if( err ) { DBGPRINTF(( DBG_CONTEXT, "cannot create api security object, error %d\n", err )); } }
return err;
} // CreateApiSecurityObject
/*******************************************************************
NAME: DeleteApiSecurityObject
SYNOPSIS: Frees the security descriptor created with CreateApiSecurityObject.
HISTORY: KeithMo 26-Mar-1993 Created.
********************************************************************/VOID DeleteApiSecurityObject( VOID ){ INetDeleteSecurityObject( &sdApiObject );
} // DeleteApiSecurityObject
//
// Short routine to enable the TcbPrivilege for testing services running
// as an executable (rather then a service). Note that the account
// running the .exe must be added in User Manager's User Right's dialog
// under "Act as part of the OS"
//
VOID EnableTcbPrivilege( VOID ){ HANDLE ProcessHandle = NULL; HANDLE TokenHandle = NULL; BOOL Result; LUID TcbValue; LUID AuditValue; TOKEN_PRIVILEGES * TokenPrivileges; CHAR buf[ 5 * sizeof(TOKEN_PRIVILEGES) ];
ProcessHandle = OpenProcess( PROCESS_QUERY_INFORMATION, FALSE, GetCurrentProcessId() );
if ( ProcessHandle == NULL ) {
//
// This should not happen
//
goto Cleanup; }
Result = OpenProcessToken ( ProcessHandle, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &TokenHandle );
if ( !Result ) {
//
// This should not happen
//
goto Cleanup;
}
//
// Find out the value of TakeOwnershipPrivilege
//
Result = LookupPrivilegeValue( NULL, "SeTcbPrivilege", &TcbValue );
if ( !Result ) {
goto Cleanup; }
//
// Need this for RPC impersonation (calls NtAccessCheckAndAuditAlarm)
//
Result = LookupPrivilegeValue( NULL, "SeAuditPrivilege", &AuditValue );
if ( !Result ) {
goto Cleanup; }
//
// Set up the privilege set we will need
//
TokenPrivileges = (TOKEN_PRIVILEGES *) buf;
TokenPrivileges->PrivilegeCount = 2; TokenPrivileges->Privileges[0].Luid = TcbValue; TokenPrivileges->Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; TokenPrivileges->Privileges[1].Luid = AuditValue; TokenPrivileges->Privileges[1].Attributes = SE_PRIVILEGE_ENABLED;
(VOID) AdjustTokenPrivileges ( TokenHandle, FALSE, TokenPrivileges, sizeof(buf), NULL, NULL );
Cleanup:
if ( TokenHandle ) { CloseHandle( TokenHandle ); }
if ( ProcessHandle ) { CloseHandle( ProcessHandle ); }}
�BOOL CrackUserAndDomain( CHAR * pszDomainAndUser, CHAR * * ppszUser, CHAR * * ppszDomain )/*++
Routine Description:
Given a user name potentially in the form domain\user, zero terminates the domain name and returns pointers to the domain name and the user name
Arguments:
pszDomainAndUser - Pointer to user name or domain and user name ppszUser - Receives pointer to user portion of name ppszDomain - Receives pointer to domain portion of name
Return Value:
TRUE if successful, FALSE otherwise (call GetLastError)
--*/{ static CHAR szDefaultDomain[MAX_COMPUTERNAME_LENGTH+1];
//
// Crack the name into domain/user components.
//
*ppszDomain = pszDomainAndUser;#if 1 // DBCS enabling for user name
*ppszUser = (PCHAR)_mbspbrk( (PUCHAR)pszDomainAndUser, (PUCHAR)"/\\" );#else
*ppszUser = strpbrk( pszDomainAndUser, "/\\" );#endif
if( *ppszUser == NULL ) { //
// No domain name specified, just the username so we assume the
// user is on the local machine
//
if ( !*szDefaultDomain ) { if ( !pfnGetDefaultDomainName( szDefaultDomain, sizeof(szDefaultDomain))) { return FALSE; } }
*ppszDomain = szDefaultDomain; *ppszUser = pszDomainAndUser; } else { //
// Both domain & user specified, skip delimiter.
//
**ppszUser = '\0'; (*ppszUser)++;
if( ( **ppszUser == '\0' ) || ( **ppszUser == '\\' ) || ( **ppszUser == '/' ) || ( *pszDomainAndUser == '\0' ) ) { //
// Name is of one of the following (invalid) forms:
//
// "domain\"
// "domain\\..."
// "domain/..."
// "\username"
// "/username"
//
SetLastError( ERROR_INVALID_PARAMETER ); return FALSE; } }
return TRUE;}
�LONGWINAPINullReferenceMapper( IN HMAPPER *pMap )/*++
Routine Description:
Increment reference count to mapper
Arguments:
pMap - ptr to mapper struct
Returns:
Ref count
--*/{ DBG_ASSERT( ((IisMapper*)pMap)->dwSignature == IIS_MAPPER_SIGNATURE );
return pfnInterlockedExchangeAdd( &((IisMapper*)pMap)->lRefCount, 1 ) + 1;}
�LONGWINAPINullDeReferenceMapper( IN HMAPPER *pMap )/*++
Routine Description:
Decrement reference count to mapper
Arguments:
pMap - ptr to mapper struct
Returns:
Ref count
--*/{ LONG l;
DBG_ASSERT( ((IisMapper*)pMap)->dwSignature == IIS_MAPPER_SIGNATURE );
if ( !(l = pfnInterlockedExchangeAdd( &((IisMapper*)pMap)->lRefCount, -1 ) - 1 ) ) { LocalFree( pMap ); }
return l;}
DWORD WINAPI NullGetIssuerList( HMAPPER *phMapper, // in
VOID * Reserved, // in
BYTE * pIssuerList, // out
DWORD * pcbIssuerList // out
)/*++
Routine Description:
Called to retrieve the list of preferred cert issuers
Arguments:
ppIssuer -- updated with ptr buffer of issuers pdwIssuer -- updated with issuers buffer size
Returns:
TRUE if success, FALSE if error
--*/{ return SEC_E_UNSUPPORTED_FUNCTION;}
DWORD WINAPI NullGetChallenge( HMAPPER *pMap, // in
BYTE * pAuthenticatorId, // in
DWORD cbAuthenticatorId, // in
BYTE * pChallenge, // out
DWORD * pcbChallenge // out
)/*++
Routine Description:
Get challenge for auth sequence
Arguments:
Not used
Returns:
FALSE ( not supported )
--*/{ DBG_ASSERT( ((IisMapper*)pMap)->dwSignature == IIS_MAPPER_SIGNATURE );
return SEC_E_UNSUPPORTED_FUNCTION;}
DWORD WINAPI NullMapCredential( HMAPPER * phMapper, DWORD dwCredentialType, const VOID* pCredential, // in
const VOID* pAuthority, // in
HLOCATOR * phToken)/*++
Routine Description:
Called to map a certificate to a NT account
Arguments:
phMapper - ptr to mapper descriptor dwCredentialType -- type of credential pCredential - ptr to PCERT_CONTEXT for client cert pAuthority - ptr to PCERT_CONTEXT for Certifying authority phToken -- updated with impersonation access token
Returns:
FALSE ( mapping always fail )
--*/{ DBG_ASSERT( ((IisMapper*)phMapper)->dwSignature == IIS_MAPPER_SIGNATURE );
return SEC_E_UNSUPPORTED_FUNCTION;}
DWORD WINAPI NullCloseLocator( HMAPPER *pMap, HLOCATOR hLocator //in
)/*++
Routine Description:
Called to close a HLOCATOR returned by MapCredential
Arguments:
tokenhandle -- HLOCATOR
Returns:
TRUE if success, FALSE if error
--*/{ DBG_ASSERT( ((IisMapper*)pMap)->dwSignature == IIS_MAPPER_SIGNATURE );
if (hLocator == 1) { return SEC_E_OK; } else { if (CloseHandle( (HANDLE)hLocator )) {\ return SEC_E_OK; } else { } } return hLocator == 1 ? TRUE : CloseHandle( (HANDLE)hLocator );}
DWORD WINAPI NullGetAccessToken( HMAPPER *pMap, HLOCATOR tokenhandle, HANDLE * phToken )/*++
Routine Description:
Called to retrieve an access token from a mapping
Arguments:
tokenhandle -- HLOCATOR returned by MapCredential phToken -- updated with potentially new token
Returns:
TRUE if success, FALSE if error
--*/{ DBG_ASSERT( ((IisMapper*)pMap)->dwSignature == IIS_MAPPER_SIGNATURE );
if ( tokenhandle == 1 ) { *phToken = (HANDLE)tokenhandle; }
else if ( !pfnDuplicateTokenEx( (HANDLE)tokenhandle, TOKEN_ALL_ACCESS, NULL, SecurityImpersonation, TokenImpersonation, phToken )) { return SEC_E_UNSUPPORTED_FUNCTION; }
return SEC_E_OK;}
DWORD WINAPI NullQueryMappedCredentialAttributes( HMAPPER *phMapper, // in
HLOCATOR hLocator, // in
ULONG ulAttribute, // in
PVOID pBuffer, //out
DWORD *pcbBuffer // in out
){ return ( SEC_E_NOT_SUPPORTED );}
QuerySingleAccessToken( VOID )/*++
Routine Description:
Query status of single access token mode
Arguments:
None
Returns:
TRUE if single access token mode used, otherwise FALSE
--*/{ return g_fUseSingleToken;}
BOOLCACHED_CREDENTIAL::GetCredential( LPSTR pszPackage, PIIS_SERVER_INSTANCE psi, PTCP_AUTHENT_INFO pTAI, CredHandle* prcred, ULONG* pcbMaxToken )/*++
Routine Description:
Get SSPI credential handle from cache
Arguments:
pszPackage - SSPI package name, e.g NTLM psi - pointer to server instance pTAI - pointer to authent info, only DomainName used prcred - updated with CredHandle from cache pcbMaxToken - updated with max token size used by this package
Returns:
TRUE if success, otherwise FALSE
--*/{ LIST_ENTRY * pEntry; CACHED_CREDENTIAL * pcred; SEC_WINNT_AUTH_IDENTITY AuthIdentity; SEC_WINNT_AUTH_IDENTITY * pAuthIdentity; SecPkgInfo * pspkg; TimeStamp Lifetime; STACK_STR ( strDefaultLogonDomain, IIS_DNLEN+1 ); SECURITY_STATUS ss;
DBG_ASSERT( pszPackage != NULL ); DBG_ASSERT( pTAI != NULL );
EnterCriticalSection( &csCredentialCacheLock );
for ( pEntry = CredentialCacheList.Flink; pEntry != &CredentialCacheList; pEntry = pEntry->Flink ) { pcred = CONTAINING_RECORD( pEntry, CACHED_CREDENTIAL, _ListEntry );
if ( !strcmp( pszPackage, pcred->_PackageName.QueryStr() ) && !strcmp( pTAI->strDefaultLogonDomain.QueryStr(), pcred->_DefaultDomain.QueryStr() ) ) { goto Exit; } }
if ( (pcred = new CACHED_CREDENTIAL) == NULL ) { SetLastError( ERROR_NOT_ENOUGH_MEMORY ); goto Exit; }
if ( !pcred->_PackageName.Copy( pszPackage ) || !pcred->_DefaultDomain.Copy( pTAI->strDefaultLogonDomain ) ) { delete pcred; pcred = NULL; goto Exit; }
//
// provide default logon domain
//
if ( psi == NULL ) { pAuthIdentity = NULL; } else { pAuthIdentity = &AuthIdentity;
memset( &AuthIdentity, 0, sizeof( AuthIdentity ));
if ( pTAI->strDefaultLogonDomain.QueryCCH() <= IIS_DNLEN ) { strDefaultLogonDomain.Copy( pTAI->strDefaultLogonDomain ); AuthIdentity.Domain = (LPBYTE)strDefaultLogonDomain.QueryStr(); } if ( AuthIdentity.Domain != NULL ) { if ( AuthIdentity.DomainLength = strlen( (LPCTSTR)AuthIdentity.Domain ) ) { // remove trailing '\\' if present
if ( AuthIdentity.Domain[AuthIdentity.DomainLength-1] == '\\' ) { --AuthIdentity.DomainLength; } } } if ( AuthIdentity.DomainLength == 0 ) { pAuthIdentity = NULL; } else { AuthIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; } }
ss = pfnAcquireCredentialsHandle( NULL, // New principal
pszPackage, // Package name
SECPKG_CRED_INBOUND, NULL, // Logon ID
pAuthIdentity, // Auth Data
NULL, // Get key func
NULL, // Get key arg
&pcred->_hcred, &Lifetime );
//
// Need to determine the max token size for this package
//
if ( ss == STATUS_SUCCESS ) { pcred->_fHaveCredHandle = TRUE; ss = pfnQuerySecurityPackageInfo( (char *) pszPackage, &pspkg ); }
if ( ss == STATUS_SUCCESS ) { pcred->_cbMaxToken = pspkg->cbMaxToken; DBG_ASSERT( pspkg->fCapabilities & SECPKG_FLAG_CONNECTION ); pfnFreeContextBuffer( pspkg ); }
if ( ss != STATUS_SUCCESS ) { DBGPRINTF(( DBG_CONTEXT, "[GetCredential] AcquireCredentialsHandle or QuerySecurityPackageInfo failed, error %d\n", ss ));
SetLastError( ss );
delete pcred; pcred = NULL; } else { InsertHeadList( &CredentialCacheList, &pcred->_ListEntry ); }
Exit:
if ( pcred ) { *pcbMaxToken = pcred->_cbMaxToken; *prcred = pcred->_hcred; }
LeaveCriticalSection( &csCredentialCacheLock );
return pcred ? TRUE : FALSE;}
CACHED_CREDENTIAL::~CACHED_CREDENTIAL( )/*++
Routine Description:
SSPI Credential cache entry destructor
Arguments:
None
Returns:
Nothing
--*/{ if ( _fHaveCredHandle ) { pfnFreeCredentialsHandle( &_hcred ); }}
|
