archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 1b390dddff
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '1b390dddff'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/protocols/kerberos/client2/kerberos.cxx

1181 lines
30 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+-----------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. //
  5. // Copyright (c) Microsoft Corporation 1992 - 1996
  6. //
  7. // File: kerberos.cxx
  8. //
  9. // Contents: main entrypoints for the Kerberos security package
  10. //
  11. //
  12. // History: 16-April-1996 Created MikeSw
  13. // 26-Sep-1998 ChandanS
  14. // Added more debugging support etc.
  15. //
  16. //------------------------------------------------------------------------
  19. #include <kerb.hxx>
  20. #define KERBP_ALLOCATE
  21. #include <kerbp.h>
  22. #include <userapi.h>
  23. #include <safeboot.h>
  24. #include <spncache.h>
  25. #include <wow64t.h>
  27. #ifdef RETAIL_LOG_SUPPORT
  28. static TCHAR THIS_FILE[]=TEXT(__FILE__);
  29. HANDLE g_hParamEvent = NULL;
  30. HKEY g_hKeyParams = NULL;
  31. #endif
  33. #ifndef WIN32_CHICAGO
  34. #ifdef RETAIL_LOG_SUPPORT
  36. DEFINE_DEBUG2(Kerb);
  37. extern DWORD KSuppInfoLevel; // needed to adjust values for common2 dir
  38. HANDLE g_hWait = NULL;
  40. DEBUG_KEY KerbDebugKeys[] = { {DEB_ERROR, "Error"},
  41. {DEB_WARN, "Warn"},
  42. {DEB_TRACE, "Trace"},
  43. {DEB_TRACE_API, "API"},
  44. {DEB_TRACE_CRED, "Cred"},
  45. {DEB_TRACE_CTXT, "Ctxt"},
  46. {DEB_TRACE_LSESS, "LSess"},
  47. {DEB_TRACE_LOGON, "Logon"},
  48. {DEB_TRACE_KDC, "KDC"},
  49. {DEB_TRACE_CTXT2, "Ctxt2"},
  50. {DEB_TRACE_TIME, "Time"},
  51. {DEB_TRACE_LOCKS, "Locks"},
  52. {DEB_TRACE_LEAKS, "Leaks"},
  53. {DEB_TRACE_SPN_CACHE, "SPN"},
  54. {DEB_TRACE_LOOPBACK, "LoopBack"},
  55. {DEB_TRACE_U2U, "U2U"},
  56. {0, NULL},
  57. };
  60. VOID
  61. KerbInitializeDebugging(
  62. VOID
  63. )
  64. {
  65. KerbInitDebug(KerbDebugKeys);
  67. }
  69. ////////////////////////////////////////////////////////////////////
  70. //
  71. // Name: KerbGetKerbRegParams
  72. //
  73. // Synopsis: Gets the debug paramaters from the registry
  74. //
  75. // Arguments: HKEY to HKLM/System/CCS/LSA/Kerberos
  76. //
  77. // Notes: Sets KerbInfolevel for debug spew
  78. //
  79. void
  80. KerbGetKerbRegParams(HKEY ParamKey)
  81. {
  83. DWORD cbType, tmpInfoLevel = KerbInfoLevel, cbSize;
  84. DWORD dwErr;
  86. cbSize = sizeof(tmpInfoLevel);
  88. dwErr = RegQueryValueExW(
  89. ParamKey,
  90. WSZ_KERBDEBUGLEVEL,
  91. NULL,
  92. &cbType,
  93. (LPBYTE)&tmpInfoLevel,
  94. &cbSize
  95. );
  96. if (dwErr != ERROR_SUCCESS)
  97. {
  98. if (dwErr == ERROR_FILE_NOT_FOUND)
  99. {
  100. // no registry value is present, don't want info
  101. // so reset to defaults
  102. #if DBG
  103. KSuppInfoLevel = KerbInfoLevel = DEB_ERROR;
  105. #else // fre
  106. KSuppInfoLevel = KerbInfoLevel = 0;
  107. #endif
  108. }else{
  109. D_DebugLog((DEB_WARN, "Failed to query DebugLevel: 0x%x\n", dwErr));
  110. }
  112. }
  114. // TBD: Validate flags?
  115. KSuppInfoLevel = KerbInfoLevel = tmpInfoLevel;
  117. cbSize = sizeof(tmpInfoLevel);
  119. dwErr = RegQueryValueExW(
  120. ParamKey,
  121. WSZ_FILELOG,
  122. NULL,
  123. &cbType,
  124. (LPBYTE)&tmpInfoLevel,
  125. &cbSize
  126. );
  128. if (dwErr == ERROR_SUCCESS)
  129. {
  130. KerbSetLoggingOption((BOOL) tmpInfoLevel);
  131. }
  132. else if (dwErr == ERROR_FILE_NOT_FOUND)
  133. {
  134. KerbSetLoggingOption(FALSE);
  135. }
  137. cbSize = sizeof(tmpInfoLevel);
  139. dwErr = RegQueryValueExW(
  140. ParamKey,
  141. KERB_PARAMETER_RETRY_PDC,
  142. NULL,
  143. &cbType,
  144. (LPBYTE)&tmpInfoLevel,
  145. &cbSize
  146. );
  148. if (dwErr == ERROR_SUCCESS)
  149. {
  150. if( tmpInfoLevel != 0 )
  151. {
  152. KerbGlobalRetryPdc = TRUE;
  153. } else {
  154. KerbGlobalRetryPdc = FALSE;
  155. }
  157. }
  158. else if (dwErr == ERROR_FILE_NOT_FOUND)
  159. {
  160. KerbGlobalRetryPdc = FALSE;
  161. }
  164. return;
  165. }
  167. ////////////////////////////////////////////////////////////////////
  168. //
  169. // Name: KerbWaitCleanup
  170. //
  171. // Synopsis: Cleans up wait from KerbWatchParamKey()
  172. //
  173. // Arguments: <none>
  174. //
  175. // Notes: .
  176. //
  177. void
  178. KerbWaitCleanup()
  179. {
  181. NTSTATUS Status = STATUS_SUCCESS;
  183. if (NULL != g_hWait) {
  184. Status = RtlDeregisterWait(g_hWait);
  185. if (NT_SUCCESS(Status) && NULL != g_hParamEvent ) {
  186. CloseHandle(g_hParamEvent);
  187. }
  188. }
  189. }
  193. ////////////////////////////////////////////////////////////////////
  194. //
  195. // Name: KerbWatchParamKey
  196. //
  197. // Synopsis: Sets RegNotifyChangeKeyValue() on param key, initializes
  198. // debug level, then utilizes thread pool to wait on
  199. // changes to this registry key. Enables dynamic debug
  200. // level changes, as this function will also be callback
  201. // if registry key modified.
  202. //
  203. // Arguments: pCtxt is actually a HANDLE to an event. This event
  204. // will be triggered when key is modified.
  205. //
  206. // Notes: .
  207. //
  208. VOID
  209. KerbWatchKerbParamKey(PVOID pCtxt,
  210. BOOLEAN fWaitStatus)
  211. {
  212. NTSTATUS Status;
  213. LONG lRes = ERROR_SUCCESS;
  215. if (NULL == g_hKeyParams) // first time we've been called.
  216. {
  217. lRes = RegOpenKeyExW(
  218. HKEY_LOCAL_MACHINE,
  219. KERB_PARAMETER_PATH,
  220. 0,
  221. KEY_READ,
  222. &g_hKeyParams);
  224. if (ERROR_SUCCESS != lRes)
  225. {
  226. D_DebugLog((DEB_WARN,"Failed to open kerberos key: 0x%x\n", lRes));
  227. goto Reregister;
  228. }
  229. }
  231. if (NULL != g_hWait)
  232. {
  233. Status = RtlDeregisterWait(g_hWait);
  234. if (!NT_SUCCESS(Status))
  235. {
  236. D_DebugLog((DEB_WARN, "Failed to Deregister wait on registry key: 0x%x\n", Status));
  237. goto Reregister;
  238. }
  240. }
  242. lRes = RegNotifyChangeKeyValue(
  243. g_hKeyParams,
  244. FALSE,
  245. REG_NOTIFY_CHANGE_LAST_SET,
  246. (HANDLE) pCtxt,
  247. TRUE);
  249. if (ERROR_SUCCESS != lRes)
  250. {
  251. D_DebugLog((DEB_ERROR,"Debug RegNotify setup failed: 0x%x\n", lRes));
  252. // we're tanked now. No further notifications, so get this one
  253. }
  255. KerbGetKerbRegParams(g_hKeyParams);
  257. Reregister:
  259. Status = RtlRegisterWait(&g_hWait,
  260. (HANDLE) pCtxt,
  261. KerbWatchKerbParamKey,
  262. (HANDLE) pCtxt,
  263. INFINITE,
  264. WT_EXECUTEINPERSISTENTIOTHREAD|
  265. WT_EXECUTEONLYONCE);
  267. }
  269. #endif // RETAIL_LOG_SUPPORT
  271. NTSTATUS NTAPI
  272. SpCleanup(
  273. VOID
  274. );
  277. BOOL
  278. DllMain(
  279. HINSTANCE Module,
  280. ULONG Reason,
  281. PVOID Context
  282. )
  283. {
  284. if ( Reason == DLL_PROCESS_ATTACH )
  285. {
  286. DisableThreadLibraryCalls( Module );
  287. }
  288. else if ( Reason == DLL_PROCESS_DETACH )
  289. {
  290. #if RETAIL_LOG_SUPPORT
  291. KerbUnloadDebug();
  292. KerbWaitCleanup();
  293. #endif
  294. }
  296. return TRUE ;
  297. }
  300. //+-------------------------------------------------------------------------
  301. //
  302. // Function: SpLsaModeInitialize
  303. //
  304. // Synopsis: This function is called by the LSA when this DLL is loaded.
  305. // It returns security package function tables for all
  306. // security packages in the DLL.
  307. //
  308. // Effects:
  309. //
  310. // Arguments: LsaVersion - Version number of the LSA
  311. // PackageVersion - Returns version number of the package
  312. // Tables - Returns array of function tables for the package
  313. // TableCount - Returns number of entries in array of
  314. // function tables.
  315. //
  316. // Requires:
  317. //
  318. // Returns:
  319. //
  320. // Notes:
  321. //
  322. //
  323. //--------------------------------------------------------------------------
  326. NTSTATUS NTAPI
  327. SpLsaModeInitialize(
  328. IN ULONG LsaVersion,
  329. OUT PULONG PackageVersion,
  330. OUT PSECPKG_FUNCTION_TABLE * Tables,
  331. OUT PULONG TableCount
  332. )
  333. {
  334. KerbInitializeDebugging();
  336. #ifdef RETAIL_LOG_SUPPORT
  338. g_hParamEvent = CreateEvent(NULL,
  339. FALSE,
  340. FALSE,
  341. NULL);
  343. if (NULL == g_hParamEvent)
  344. {
  345. D_DebugLog((DEB_WARN, "CreateEvent for ParamEvent failed - 0x%x\n", GetLastError()));
  346. } else {
  347. KerbWatchKerbParamKey(g_hParamEvent, FALSE);
  348. }
  350. #endif // RETAIL_LOG_SUPPORT
  352. if (LsaVersion != SECPKG_INTERFACE_VERSION)
  353. {
  354. D_DebugLog((DEB_ERROR,"Invalid LSA version: %d. %ws, line %d\n",LsaVersion, THIS_FILE, __LINE__));
  355. return(STATUS_INVALID_PARAMETER);
  356. }
  358. KerberosFunctionTable.InitializePackage = NULL;;
  359. KerberosFunctionTable.LogonUser = NULL;
  360. KerberosFunctionTable.CallPackage = LsaApCallPackage;
  361. KerberosFunctionTable.LogonTerminated = LsaApLogonTerminated;
  362. KerberosFunctionTable.CallPackageUntrusted = LsaApCallPackageUntrusted;
  363. KerberosFunctionTable.LogonUserEx2 = LsaApLogonUserEx2;
  364. KerberosFunctionTable.Initialize = SpInitialize;
  365. KerberosFunctionTable.Shutdown = SpShutdown;
  366. KerberosFunctionTable.GetInfo = SpGetInfo;
  367. KerberosFunctionTable.AcceptCredentials = SpAcceptCredentials;
  368. KerberosFunctionTable.AcquireCredentialsHandle = SpAcquireCredentialsHandle;
  369. KerberosFunctionTable.FreeCredentialsHandle = SpFreeCredentialsHandle;
  370. KerberosFunctionTable.QueryCredentialsAttributes = SpQueryCredentialsAttributes;
  371. KerberosFunctionTable.SaveCredentials = SpSaveCredentials;
  372. KerberosFunctionTable.GetCredentials = SpGetCredentials;
  373. KerberosFunctionTable.DeleteCredentials = SpDeleteCredentials;
  374. KerberosFunctionTable.InitLsaModeContext = SpInitLsaModeContext;
  375. KerberosFunctionTable.AcceptLsaModeContext = SpAcceptLsaModeContext;
  376. KerberosFunctionTable.DeleteContext = SpDeleteContext;
  377. KerberosFunctionTable.ApplyControlToken = SpApplyControlToken;
  378. KerberosFunctionTable.GetUserInfo = SpGetUserInfo;
  379. KerberosFunctionTable.GetExtendedInformation = SpGetExtendedInformation;
  380. KerberosFunctionTable.QueryContextAttributes = SpQueryLsaModeContextAttributes;
  381. KerberosFunctionTable.CallPackagePassthrough = LsaApCallPackagePassthrough;
  384. *PackageVersion = SECPKG_INTERFACE_VERSION;
  386. *TableCount = 1;
  387. *Tables = &KerberosFunctionTable;
  389. // initialize event tracing (a/k/a WMI tracing, software tracing)
  390. KerbInitializeTrace();
  392. return(STATUS_SUCCESS);
  393. }
  394. #endif // WIN32_CHICAGO
  398. //+-------------------------------------------------------------------------
  399. //
  400. // Function: SpInitialize
  401. //
  402. // Synopsis: Initializes the Kerberos package
  403. //
  404. // Effects:
  405. //
  406. // Arguments: PackageId - Contains ID for this package assigned by LSA
  407. // Parameters - Contains machine-specific information
  408. // FunctionTable - Contains table of LSA helper routines
  409. //
  410. // Requires:
  411. //
  412. // Returns:
  413. //
  414. // Notes:
  415. //
  416. //
  417. //--------------------------------------------------------------------------
  419. NTSTATUS NTAPI
  420. SpInitialize(
  421. IN ULONG_PTR PackageId,
  422. IN PSECPKG_PARAMETERS Parameters,
  423. IN PLSA_SECPKG_FUNCTION_TABLE FunctionTable
  424. )
  425. {
  426. NTSTATUS Status;
  427. UNICODE_STRING TempUnicodeString;
  428. #ifndef WIN32_CHICAGO
  429. WCHAR SafeBootEnvVar[sizeof(SAFEBOOT_MINIMAL_STR_W) + sizeof(WCHAR)];
  430. #endif // WIN32_CHICAGO
  431. UNICODE_STRING DnsString = {0};;
  432. #ifdef WIN32_CHICAGO
  433. PKERB_LOGON_SESSION LogonSession = NULL;
  434. #endif // WIN32_CHICAGO
  436. #ifndef WIN32_CHICAGO
  437. RtlInitializeResource(&KerberosGlobalResource);
  438. #endif // WIN32_CHICAGO
  439. KerberosPackageId = PackageId;
  440. LsaFunctions = FunctionTable;
  443. #ifndef WIN32_CHICAGO
  444. KerberosState = KerberosLsaMode;
  445. #else // WIN32_CHICAGO
  446. KerberosState = KerberosUserMode;
  447. #endif // WIN32_CHICAGO
  450. RtlInitUnicodeString(
  451. &KerbPackageName,
  452. MICROSOFT_KERBEROS_NAME_W
  453. );
  455. #ifndef WIN32_CHICAGO
  456. // Check is we are in safe boot.
  458. //
  459. // Does environment variable exist
  460. //
  462. RtlZeroMemory( SafeBootEnvVar, sizeof( SafeBootEnvVar ) );
  464. KerbGlobalSafeModeBootOptionPresent = FALSE;
  466. if ( GetEnvironmentVariable(L"SAFEBOOT_OPTION", SafeBootEnvVar, sizeof(SafeBootEnvVar)/sizeof(SafeBootEnvVar[0]) ) )
  467. {
  468. if ( !wcscmp( SafeBootEnvVar, SAFEBOOT_MINIMAL_STR_W ) )
  469. {
  470. KerbGlobalSafeModeBootOptionPresent = TRUE;
  471. }
  472. }
  473. #endif // WIN32_CHICAGO
  476. Status = KerbInitializeEvents();
  477. if (!NT_SUCCESS(Status))
  478. {
  479. goto Cleanup;
  480. }
  482. //
  483. // Init data for the kdc calling routine
  484. //
  486. #ifndef WIN32_CHICAGO
  487. Status = KerbInitKdcData();
  488. if (!NT_SUCCESS(Status))
  489. {
  490. goto Cleanup;
  491. }
  494. //
  495. // init global LSA policy handle.
  496. //
  498. Status = LsaIOpenPolicyTrusted(
  499. &KerbGlobalPolicyHandle
  500. );
  502. if(!NT_SUCCESS(Status))
  503. {
  504. goto Cleanup;
  505. }
  507. #endif // WIN32_CHICAGO
  509. //
  510. // Get information about encryption
  511. //
  513. if ((Parameters->MachineState & SECPKG_STATE_ENCRYPTION_PERMITTED) != 0)
  514. {
  515. KerbGlobalEncryptionPermitted = TRUE;
  516. }
  517. if ((Parameters->MachineState & SECPKG_STATE_STRONG_ENCRYPTION_PERMITTED) != 0)
  518. {
  519. KerbGlobalStrongEncryptionPermitted = TRUE;
  520. }
  522. //
  523. // Get our global role
  524. //
  526. if ((Parameters->MachineState & SECPKG_STATE_DOMAIN_CONTROLLER) != 0)
  527. {
  528. //
  529. // We will behave like a member workstation/server until the DS
  530. // says we are ready to act as a DC
  531. //
  533. KerbGlobalRole = KerbRoleWorkstation;
  534. }
  535. else if ((Parameters->MachineState & SECPKG_STATE_WORKSTATION) != 0)
  536. {
  537. KerbGlobalRole = KerbRoleWorkstation;
  538. }
  539. else
  540. {
  541. KerbGlobalRole = KerbRoleStandalone;
  542. }
  544. //
  545. // Fill in various useful constants
  546. //
  548. KerbSetTime(&KerbGlobalWillNeverTime, MAXTIMEQUADPART);
  549. KerbSetTime(&KerbGlobalHasNeverTime, 0);
  551. //
  552. // compute blank password hashes.
  553. //
  555. Status = RtlCalculateLmOwfPassword( "", &KerbGlobalNullLmOwfPassword );
  556. ASSERT( NT_SUCCESS(Status) );
  558. RtlInitUnicodeString(&TempUnicodeString, NULL);
  559. Status = RtlCalculateNtOwfPassword(&TempUnicodeString,
  560. &KerbGlobalNullNtOwfPassword);
  561. ASSERT( NT_SUCCESS(Status) );
  563. RtlInitUnicodeString(
  564. &KerbGlobalKdcServiceName,
  565. KDC_PRINCIPAL_NAME
  566. );
  568. //
  569. // At some point we may want to read the registry here to
  570. // find out whether we need to enforce times, currently times
  571. // are always enforced.
  572. //
  574. KerbGlobalEnforceTime = FALSE;
  576. //
  577. // Get the machine Name
  578. //
  581. Status = KerbSetComputerName();
  583. if( !NT_SUCCESS(Status) )
  584. {
  585. D_DebugLog((DEB_ERROR,"KerbSetComputerName failed\n"));
  586. goto Cleanup;
  587. }
  589. //
  590. // Initialize the logon session list. This has to be done because
  591. // KerbSetDomainName will try to acess the logon session list
  592. //
  594. Status = KerbInitLogonSessionList();
  595. if (!NT_SUCCESS(Status))
  596. {
  597. D_DebugLog((DEB_ERROR,"Failed to initialize logon session list: 0x%x. %ws, line %d\n",
  598. Status, THIS_FILE, __LINE__ ));
  599. goto Cleanup;
  600. }
  602. Status = KerbInitNetworkServiceLoopbackDetection();
  603. if (!NT_SUCCESS(Status))
  604. {
  605. D_DebugLog((DEB_ERROR, "Failed to initialize network service loopback detection: 0x%x. %ws, line %d\n",
  606. Status, THIS_FILE, __LINE__ ));
  607. goto Cleanup;
  608. }
  610. Status = KerbCreateSKeyTimer();
  611. if (!NT_SUCCESS(Status))
  612. {
  613. D_DebugLog((DEB_ERROR, "Failed to initialize network service session key list timer: 0x%x. %ws, line %d\n",
  614. Status, THIS_FILE, __LINE__ ));
  615. goto Cleanup;
  616. }
  618. Status = KerbInitTicketHandling();
  619. if (!NT_SUCCESS(Status))
  620. {
  621. D_DebugLog((DEB_ERROR,"Failed to initialize ticket handling: 0x%x. %ws, line %d\n",
  622. Status, THIS_FILE, __LINE__));
  623. goto Cleanup;
  624. }
  626. #ifndef WIN32_CHICAGO
  627. Status = KerbInitializeLogonSidCache();
  628. if (!NT_SUCCESS(Status))
  629. {
  630. D_DebugLog((DEB_ERROR,"Failed to initialize sid cache: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
  631. goto Cleanup;
  632. }
  633. #endif
  636. //
  637. // Update all global structures referencing the domain name
  638. //
  640. Status = KerbSetDomainName(
  641. &Parameters->DomainName,
  642. &Parameters->DnsDomainName,
  643. Parameters->DomainSid,
  644. Parameters->DomainGuid
  645. );
  646. if (!NT_SUCCESS(Status))
  647. {
  648. goto Cleanup;
  649. }
  651. //
  652. // Initialize the internal Kerberos lists
  653. //
  656. Status = KerbInitCredentialList();
  657. if (!NT_SUCCESS(Status))
  658. {
  659. D_DebugLog((DEB_ERROR,"Failed to initialize credential list: 0x%x. %ws, line %d\n",
  660. Status, THIS_FILE, __LINE__ ));
  661. goto Cleanup;
  662. }
  664. Status = KerbInitContextList();
  665. if (!NT_SUCCESS(Status))
  666. {
  667. D_DebugLog((DEB_ERROR,"Failed to initialize context list: 0x%x. %ws, line %d\n",
  668. Status, THIS_FILE, __LINE__ ));
  669. goto Cleanup;
  670. }
  671. Status = KerbInitTicketCaching();
  672. if (!NT_SUCCESS(Status))
  673. {
  674. D_DebugLog((DEB_ERROR,"Failed to initialize ticket cache: 0x%x. %ws, line %d\n",
  675. Status, THIS_FILE, __LINE__));
  676. goto Cleanup;
  678. }
  680. Status = KerbInitBindingCache();
  681. if (!NT_SUCCESS(Status))
  682. {
  683. D_DebugLog((DEB_ERROR,"Failed to initialize binding cache: 0x%x. %ws, line %d\n",
  684. Status, THIS_FILE, __LINE__));
  685. goto Cleanup;
  686. }
  688. Status = KerbInitSpnCache();
  689. if (!NT_SUCCESS(Status))
  690. {
  691. D_DebugLog((DEB_ERROR,"Failed to initialize SPN cache: 0x%x. %ws, line %d\n",
  692. Status, THIS_FILE, __LINE__));
  693. goto Cleanup;
  694. }
  696. Status = KerbInitializeMitRealmList();
  697. if (!NT_SUCCESS(Status))
  698. {
  699. D_DebugLog((DEB_ERROR,"Failed to initialize MIT realm list: 0x%x. %ws, line %d\n",
  700. Status, THIS_FILE, __LINE__ ));
  701. goto Cleanup;
  702. }
  704. #ifndef WIN32_CHICAGO
  705. Status = KerbInitializePkinit();
  706. if (!NT_SUCCESS(Status))
  707. {
  708. D_DebugLog((DEB_ERROR,"Failed to initialize PKINT: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
  709. goto Cleanup;
  710. }
  711. #endif // WIN32_CHICAGO
  713. Status = KerbInitializeSockets(
  714. MAKEWORD(1,1), // we want version 1.1
  715. 1, // we need at least 1 socket
  716. &KerbGlobalNoTcpUdp
  717. );
  719. if (!NT_SUCCESS(Status))
  720. {
  721. D_DebugLog((DEB_ERROR,"Failed to initialize sockets: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
  722. goto Cleanup;
  723. }
  725. #ifndef WIN32_CHICAGO
  726. Status = KerbRegisterForDomainChange();
  727. if (!NT_SUCCESS(Status))
  728. {
  729. D_DebugLog((DEB_ERROR, "Failed to register for domain change notification: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
  730. goto Cleanup;
  731. }
  733. //
  734. // Check to see if there is a CSP registered for replacing the StringToKey calculation
  735. //
  736. CheckForOutsideStringToKey();
  738. //
  739. // Register to update the machine sid cache
  740. //
  742. KerbWaitGetMachineSid();
  744. //
  745. // See if there are any "join hints" to process
  746. //
  747. ReadInitialDcRecord(
  748. &KerbGlobalInitialDcRecord,
  749. &KerbGlobalInitialDcAddressType,
  750. &KerbGlobalInitialDcFlags
  751. );
  754. #endif // WIN32_CHICAGO
  756. KerbGlobalSocketsInitialized = TRUE;
  757. KerbGlobalInitialized = TRUE;
  759. Cleanup:
  760. KerbFreeString(
  761. &DnsString
  762. );
  763. //
  764. // If we failed to initialize, shutdown
  765. //
  767. if (!NT_SUCCESS(Status))
  768. {
  769. SpCleanup();
  770. }
  772. return(Status);
  773. }
  776. //+-------------------------------------------------------------------------
  777. //
  778. // Function: SpCleanup
  779. //
  780. // Synopsis: Function to shutdown the Kerberos package.
  781. //
  782. // Effects: Forces the freeing of all credentials, contexts and
  783. // logon sessions and frees all global data
  784. //
  785. // Arguments: none
  786. //
  787. // Requires:
  788. //
  789. // Returns:
  790. //
  791. // Notes: STATUS_SUCCESS in all cases
  792. //
  793. //
  794. //--------------------------------------------------------------------------
  797. NTSTATUS NTAPI
  798. SpCleanup(
  799. VOID
  800. )
  801. {
  802. KerbGlobalInitialized = FALSE;
  803. #ifndef WIN32_CHICAGO
  804. KerbUnregisterForDomainChange();
  805. #endif // WIN32_CHICAGO
  806. KerbFreeLogonSessionList();
  807. KerbFreeContextList();
  808. KerbFreeTicketCache();
  809. // KerbFreeCredentialList();
  811. KerbFreeNetworkServiceSKeyListAndLock();
  812. KerbFreeSKeyTimer();
  814. KerbFreeString(&KerbGlobalDomainName);
  815. KerbFreeString(&KerbGlobalDnsDomainName);
  816. KerbFreeString(&KerbGlobalMachineName);
  817. KerbFreeString((PUNICODE_STRING) &KerbGlobalKerbMachineName);
  818. KerbFreeString(&KerbGlobalMachineServiceName);
  819. KerbFreeKdcName(&KerbGlobalInternalMachineServiceName);
  820. KerbFreeKdcName(&KerbGlobalMitMachineServiceName);
  822. KerbCleanupTicketHandling();
  823. #ifndef WIN32_CHICAGO
  824. if( KerbGlobalPolicyHandle != NULL )
  825. {
  826. LsarClose( &KerbGlobalPolicyHandle );
  827. KerbGlobalPolicyHandle = NULL;
  828. }
  830. if (KerbGlobalDomainSid != NULL)
  831. {
  832. KerbFree(KerbGlobalDomainSid);
  833. }
  834. #endif // WIN32_CHICAGO
  836. if (KerbGlobalSocketsInitialized)
  837. {
  838. KerbCleanupSockets();
  839. }
  840. KerbCleanupBindingCache(FALSE);
  841. KerbUninitializeMitRealmList();
  842. #ifndef WIN32_CHICAGO
  843. KerbFreeKdcData();
  844. // RtlDeleteResource(&KerberosGlobalResource);
  845. #endif // WIN32_CHICGAO
  847. KerbShutdownEvents();
  848. return(STATUS_SUCCESS);
  849. }
  851. //+-------------------------------------------------------------------------
  852. //
  853. // Function: SpShutdown
  854. //
  855. // Synopsis: Exported function to shutdown the Kerberos package.
  856. //
  857. // Effects: Forces the freeing of all credentials, contexts and
  858. // logon sessions and frees all global data
  859. //
  860. // Arguments: none
  861. //
  862. // Requires:
  863. //
  864. // Returns:
  865. //
  866. // Notes: STATUS_SUCCESS in all cases
  867. //
  868. //
  869. //--------------------------------------------------------------------------
  872. NTSTATUS NTAPI
  873. SpShutdown(
  874. VOID
  875. )
  876. {
  877. #if 0
  878. SpCleanup();
  879. #endif
  880. return(STATUS_SUCCESS);
  881. }
  884. #ifndef WIN32_CHICAGO
  885. //+-------------------------------------------------------------------------
  886. //
  887. // Function: SpGetInfo
  888. //
  889. // Synopsis: Returns information about the package
  890. //
  891. // Effects: returns pointers to global data
  892. //
  893. // Arguments: PackageInfo - Receives kerberos package information
  894. //
  895. // Requires:
  896. //
  897. // Returns: STATUS_SUCCESS in all cases
  898. //
  899. // Notes:
  900. //
  901. //
  902. //--------------------------------------------------------------------------
  905. NTSTATUS NTAPI
  906. SpGetInfo(
  907. OUT PSecPkgInfo PackageInfo
  908. )
  909. {
  910. PackageInfo->wVersion = SECURITY_SUPPORT_PROVIDER_INTERFACE_VERSION;
  911. PackageInfo->wRPCID = RPC_C_AUTHN_GSS_KERBEROS;
  912. PackageInfo->fCapabilities = KERBEROS_CAPABILITIES;
  913. PackageInfo->cbMaxToken = KerbGlobalMaxTokenSize;
  914. PackageInfo->Name = KERBEROS_PACKAGE_NAME;
  915. PackageInfo->Comment = KERBEROS_PACKAGE_COMMENT;
  916. return(STATUS_SUCCESS);
  917. }
  921. //+-------------------------------------------------------------------------
  922. //
  923. // Function: SpGetExtendedInformation
  924. //
  925. // Synopsis: returns additional information about the package
  926. //
  927. // Effects:
  928. //
  929. // Arguments:
  930. //
  931. // Requires:
  932. //
  933. // Returns:
  934. //
  935. // Notes:
  936. //
  937. //
  938. //--------------------------------------------------------------------------
  939. NTSTATUS
  940. SpGetExtendedInformation(
  941. IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
  942. OUT PSECPKG_EXTENDED_INFORMATION * ppInformation
  943. )
  944. {
  945. NTSTATUS Status = STATUS_SUCCESS;
  946. PSECPKG_EXTENDED_INFORMATION Information = NULL ;
  947. PSECPKG_SERIALIZED_OID SerializedOid;
  948. ULONG Size ;
  950. switch(Class) {
  951. case SecpkgGssInfo:
  952. DsysAssert(gss_mech_krb5_new->length >= 2);
  953. DsysAssert(gss_mech_krb5_new->length < 127);
  955. //
  956. // We need to leave space for the oid and the BER header, which is
  957. // 0x6 and then the length of the oid.
  958. //
  960. Information = (PSECPKG_EXTENDED_INFORMATION)
  961. KerbAllocate(sizeof(SECPKG_EXTENDED_INFORMATION) +
  962. gss_mech_krb5_new->length - 2);
  963. if (Information == NULL)
  964. {
  965. Status = STATUS_INSUFFICIENT_RESOURCES;
  966. goto Cleanup;
  967. }
  969. Information->Class = SecpkgGssInfo;
  970. Information->Info.GssInfo.EncodedIdLength = gss_mech_krb5_new->length + 2;
  971. Information->Info.GssInfo.EncodedId[0] = 0x6; // BER OID type
  972. Information->Info.GssInfo.EncodedId[1] = (UCHAR) gss_mech_krb5_new->length;
  973. RtlCopyMemory(
  974. &Information->Info.GssInfo.EncodedId[2],
  975. gss_mech_krb5_new->elements,
  976. gss_mech_krb5_new->length
  977. );
  979. *ppInformation = Information;
  980. Information = NULL;
  981. break;
  982. case SecpkgContextThunks:
  983. //
  984. // Note - we don't need to add any space for the thunks as there
  985. // is only one, and the structure has space for one. If any more
  986. // thunks are added, we will need to add space for those.
  987. //
  989. Information = (PSECPKG_EXTENDED_INFORMATION)
  990. KerbAllocate(sizeof(SECPKG_EXTENDED_INFORMATION));
  991. if (Information == NULL)
  992. {
  993. Status = STATUS_INSUFFICIENT_RESOURCES;
  994. goto Cleanup;
  995. }
  996. Information->Class = SecpkgContextThunks;
  997. Information->Info.ContextThunks.InfoLevelCount = 1;
  998. Information->Info.ContextThunks.Levels[0] = SECPKG_ATTR_NATIVE_NAMES;
  999. *ppInformation = Information;
  1000. Information = NULL;
  1001. break;
  1003. case SecpkgWowClientDll:
  1005. //
  1006. // This indicates that we're smart enough to handle wow client processes
  1007. //
  1009. Information = (PSECPKG_EXTENDED_INFORMATION)
  1010. KerbAllocate( sizeof( SECPKG_EXTENDED_INFORMATION ) +
  1011. (MAX_PATH * sizeof(WCHAR) ) );
  1013. if ( Information == NULL )
  1014. {
  1015. Status = STATUS_INSUFFICIENT_RESOURCES ;
  1016. goto Cleanup ;
  1017. }
  1019. Information->Class = SecpkgWowClientDll ;
  1020. Information->Info.WowClientDll.WowClientDllPath.Buffer = (PWSTR) (Information + 1);
  1021. Size = ExpandEnvironmentStrings(
  1022. L"%SystemRoot%\\" WOW64_SYSTEM_DIRECTORY_U L"\\Kerberos.DLL",
  1023. Information->Info.WowClientDll.WowClientDllPath.Buffer,
  1024. MAX_PATH );
  1025. Information->Info.WowClientDll.WowClientDllPath.Length = (USHORT) (Size * sizeof(WCHAR));
  1026. Information->Info.WowClientDll.WowClientDllPath.MaximumLength = (USHORT) ((Size + 1) * sizeof(WCHAR) );
  1027. *ppInformation = Information ;
  1028. Information = NULL ;
  1030. break;
  1032. case SecpkgExtraOids:
  1033. Size = sizeof( SECPKG_EXTENDED_INFORMATION ) +
  1034. 2 * sizeof( SECPKG_SERIALIZED_OID ) ;
  1036. Information = (PSECPKG_EXTENDED_INFORMATION)
  1037. KerbAllocate( Size );
  1040. if ( Information == NULL )
  1041. {
  1042. Status = STATUS_INSUFFICIENT_RESOURCES ;
  1043. goto Cleanup ;
  1044. }
  1045. Information->Class = SecpkgExtraOids ;
  1046. Information->Info.ExtraOids.OidCount = 2 ;
  1048. SerializedOid = Information->Info.ExtraOids.Oids;
  1050. SerializedOid->OidLength = gss_mech_krb5_spnego->length + 2;
  1051. SerializedOid->OidAttributes = SECPKG_CRED_BOTH ;
  1052. SerializedOid->OidValue[ 0 ] = 0x06 ; // BER OID type
  1053. SerializedOid->OidValue[ 1 ] = (UCHAR) gss_mech_krb5_spnego->length;
  1054. RtlCopyMemory(
  1055. &SerializedOid->OidValue[2],
  1056. gss_mech_krb5_spnego->elements,
  1057. gss_mech_krb5_spnego->length
  1058. );
  1060. SerializedOid++ ;
  1062. SerializedOid->OidLength = gss_mech_krb5_u2u->length + 2;
  1063. SerializedOid->OidAttributes = SECPKG_CRED_INBOUND ;
  1064. SerializedOid->OidValue[ 0 ] = 0x06 ; // BER OID type
  1065. SerializedOid->OidValue[ 1 ] = (UCHAR) gss_mech_krb5_u2u->length;
  1066. RtlCopyMemory(
  1067. &SerializedOid->OidValue[2],
  1068. gss_mech_krb5_u2u->elements,
  1069. gss_mech_krb5_u2u->length
  1070. );
  1072. *ppInformation = Information ;
  1073. Information = NULL ;
  1074. break;
  1076. default:
  1077. return(STATUS_INVALID_INFO_CLASS);
  1078. }
  1079. Cleanup:
  1080. if (Information != NULL)
  1081. {
  1082. KerbFree(Information);
  1083. }
  1084. return(Status);
  1085. }
  1089. //+-------------------------------------------------------------------------
  1090. //
  1091. // Function: LsaApInitializePackage
  1092. //
  1093. // Synopsis: Obsolete pacakge initialize function, supported for
  1094. // compatibility only. This function has no effect.
  1095. //
  1096. // Effects: none
  1097. //
  1098. // Arguments:
  1099. //
  1100. // Requires:
  1101. //
  1102. // Returns: STATUS_SUCCESS always
  1103. //
  1104. // Notes:
  1105. //
  1106. //
  1107. //--------------------------------------------------------------------------
  1110. NTSTATUS NTAPI
  1111. LsaApInitializePackage(
  1112. IN ULONG AuthenticationPackageId,
  1113. IN PLSA_DISPATCH_TABLE LsaDispatchTable,
  1114. IN PLSA_STRING Database OPTIONAL,
  1115. IN PLSA_STRING Confidentiality OPTIONAL,
  1116. OUT PLSA_STRING *AuthenticationPackageName
  1117. )
  1118. {
  1119. return(STATUS_SUCCESS);
  1120. }
  1122. BOOLEAN
  1123. KerbIsInitialized(
  1124. VOID
  1125. )
  1126. {
  1127. return KerbGlobalInitialized;
  1128. }
  1130. NTSTATUS
  1131. KerbKdcCallBack(
  1132. VOID
  1133. )
  1134. {
  1135. PKERB_BINDING_CACHE_ENTRY CacheEntry = NULL;
  1136. NTSTATUS Status = STATUS_SUCCESS;
  1138. KerbGlobalWriteLock();
  1140. KerbGlobalRole = KerbRoleDomainController;
  1142. Status = KerbLoadKdc();
  1145. //
  1146. // Purge the binding cache of entries for this domain
  1147. //
  1149. CacheEntry = KerbLocateBindingCacheEntry(
  1150. &KerbGlobalDnsDomainName,
  1151. 0,
  1152. TRUE
  1153. );
  1154. if (CacheEntry != NULL)
  1155. {
  1156. KerbDereferenceBindingCacheEntry(CacheEntry);
  1157. }
  1158. CacheEntry = KerbLocateBindingCacheEntry(
  1159. &KerbGlobalDomainName,
  1160. 0,
  1161. TRUE
  1162. );
  1163. if (CacheEntry != NULL)
  1164. {
  1165. KerbDereferenceBindingCacheEntry(CacheEntry);
  1166. }
  1168. //
  1169. // PurgeSpnCache, because we may now have "better" state,
  1170. // e.g. right after DCPromo our SPNs may not have replicated.
  1171. //
  1172. KerbCleanupSpnCache();
  1175. KerbGlobalReleaseLock();
  1177. return Status;
  1178. }
  1180. #endif // WIN32_CHICAGO