archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/protocols/common/common.cxx

701 lines
18 KiB
Raw Normal View History

Add source files
4 years ago
  2. //+-----------------------------------------------------------------------
  3. //
  4. // Microsoft Windows
  5. //
  6. // Copyright (c) Microsoft Corporation 2000
  7. //
  8. // File: common.cxx
  9. //
  10. // Contents: Shared SSPI code
  11. //
  12. //
  13. // History: 11-March-2000 Created Todds
  14. //
  15. //------------------------------------------------------------------------
  22. //+-------------------------------------------------------------------------
  23. //
  24. // Function: SspAllocate
  25. //
  26. // Synopsis: Copies a string from the client and if necessary converts
  27. // from ansi to unicode
  28. //
  29. // Effects: allocates output with either KerbAllocate (unicode)
  30. // or RtlAnsiStringToUnicodeString
  31. //
  32. // Arguments: StringPointer - address of string in client process
  33. // StringLength - Lenght (in characters) of string
  34. // AnsiString - if TRUE, string is ansi
  35. // LocalString - receives allocated string
  36. //
  37. // Requires:
  38. //
  39. // Returns:
  40. //
  41. // Notes:
  42. //
  43. //
  44. //--------------------------------------------------------------------------
  46. PVOID
  47. SspAllocate(
  48. IN ULONG BufferSize
  49. )
  50. {
  52. PVOID pBuffer = NULL;
  53. if (*pSspState == SspLsaMode)
  54. {
  55. pBuffer = LsaFunctions->AllocateLsaHeap(BufferSize);
  56. if (pBuffer != NULL)
  57. {
  58. RtlZeroMemory(Buffer, BufferSize);
  59. }
  60. }
  61. else
  62. {
  63. ASSERT((*pSspState) == SspUserMode);
  64. pBuffer = LocalAlloc(LPTR, BufferSize);
  65. }
  67. return pBuffer;
  68. }
  70. //+-------------------------------------------------------------------------
  71. //
  72. // Function: SspFree
  73. //
  74. // Synopsis: Copies a string from the client and if necessary converts
  75. // from ansi to unicode
  76. //
  77. // Effects: allocates output with either KerbAllocate (unicode)
  78. // or RtlAnsiStringToUnicodeString
  79. //
  80. // Arguments: StringPointer - address of string in client process
  81. // StringLength - Lenght (in characters) of string
  82. // AnsiString - if TRUE, string is ansi
  83. // LocalString - receives allocated string
  84. //
  85. // Requires:
  86. //
  87. // Returns:
  88. //
  89. // Notes:
  90. //
  91. //
  92. //--------------------------------------------------------------------------
  94. VOID
  95. SspFree(
  96. IN PVOID pBuffer
  97. )
  98. {
  100. if (ARGUMENT_PRESENT(Buffer))
  101. {
  102. if ((*pSspState) == SspLsaMode)
  103. {
  104. LsaFunctions->FreeLsaHeap(Buffer);
  105. }
  106. else
  107. {
  108. ASSERT((*pSspState) == SspUserMode);
  109. LocalFree(Buffer);
  110. }
  111. }
  113. }
  115. //+-------------------------------------------------------------------------
  116. //
  117. // Function: SspCopyClientString
  118. //
  119. // Synopsis: Copies a string from the client and if necessary converts
  120. // from ansi to unicode
  121. //
  122. // Effects: allocates output with SspAllocate, free w/ SspFree
  123. //
  124. // Arguments: StringPointer - address of string in client process
  125. // StringLength - Lenght (in characters) of string
  126. // UnicodeString - if TRUE, string is ansi
  127. // MaxLength - Maximum length of string (useful for pwds)
  128. // LocalString - receives allocated string
  129. //
  130. // Requires:
  131. //
  132. // Returns:
  133. //
  134. // Notes:
  135. //
  136. //
  137. //--------------------------------------------------------------------------
  139. NTSTATUS
  140. SspCopyClientString(
  141. IN PVOID StringPointer,
  142. IN ULONG StringLength,
  143. IN BOOLEAN UnicodeString,
  144. OUT PUNICODE_STRING LocalString,
  145. IN ULONG MaxLength = 0xFFFF
  146. )
  147. {
  149. NTSTATUS Status = STATUS_SUCCESS;
  150. STRING TempString = {0};
  151. ULONG SourceSize = 0;
  152. ULONG CharacterSize = (DoUnicode ? sizeof(WCHAR) : sizeof(CHAR));
  154. // init outputs
  155. LocalString->Length = LocalString->MaximumLength = 0;
  156. LocalString->Buffer = NULL;
  158. if (NULL != StringPointer)
  159. {
  160. // For 0 length strings, allocate 2 bytes
  161. if (StringLength == 0)
  162. {
  163. LocalString->Buffer = (LPWSTR) SspAllocate(sizeof(WCHAR));
  164. if (NULL == LocalString->Buffer)
  165. {
  166. DebugLog((DEB_ERROR,"SspCopyClientString allocation failure!\n");
  167. Status = STATUS_NO_MEMORY;
  168. goto Cleanup;
  169. }
  170. LocalString->MaximumLength = sizeof(WCHAR);
  171. *LocalString->Buffer = L"\0";
  172. }
  173. else
  174. {
  176. //
  177. // Ensure no overflow against UNICODE_STRING, or desired string
  178. //
  179. SourceSize = (StringLength + 1) * CharacterSize;
  180. if ((StringLength > MaxLength) || (SourceSize > 0xFFFF))
  181. {
  182. Status = STATUS_INVALID_PARAMETER;
  183. DebugLog((DEB_WARN, "SspCopyClientString, String is too big for UNICODE_STRING\n"));
  184. goto Cleanup;
  185. }
  187. TempString.Buffer = (LPSTR) SspAllocate(SourceSize);
  188. if (NULL == TempString.Buffer)
  189. {
  190. DebugLog((DEB_ERROR,"SspCopyClientString allocation failure!\n");
  191. Status = STATUS_NO_MEMORY;
  192. goto Cleanup;
  193. }
  195. TempString.Length = (USHORT) (SourceSize - CharacterSize);
  196. TempString.MaximumLength = (USHORT) SourceSize;
  198. Status = LsaFunctions->CopyFromClientBuffer(
  199. NULL,
  200. SourceSize - CharacterSize,
  201. TempString.Buffer,
  202. StringPointer
  203. );
  205. if (!NT_SUCCESS(Status))
  206. {
  207. DebugLog((
  208. DEB_ERROR,
  209. "SspCopyClientString:LsaFn->CopyFromClientBuffer Failed - 0x%x\n",
  210. Status));
  211. goto Cleanup;
  212. }
  214. // We've put info into a STRING structure. Now do
  215. // translation to UNICODE_STRING.
  216. if (UnicodeString)
  217. {
  218. LocalString->Buffer = (LPWSTR) TemporaryString.Buffer;
  219. LocalString->Length = TempString.Length;
  220. LocalString->MaximumLength = TempString.MaximumLength;
  221. }
  222. else
  223. {
  224. NTSTATUS Status1;
  225. Status1 = RtlOemStringToUnicodeString(
  226. LocalString,
  227. &TemporaryString,
  228. TRUE
  229. ); // allocate destination
  231. if (!NT_SUCCESS(Status1))
  232. {
  233. Status = STATUS_NO_MEMORY;
  234. DebugLog((
  235. DEB_ERROR,
  236. "SspCopyClientString, Error from RtlOemStringToUnicodeString is 0x%lx\n",
  237. Status
  238. ));
  239. goto Cleanup;
  240. }
  241. }
  242. }
  243. }
  246. Cleanup:
  248. if (TempString.Buffer != NULL)
  249. {
  250. //
  251. // Free this if we failed and were doing unicode or if we weren't
  252. // doing unicode
  253. //
  255. if ((UnicodeString && !NT_SUCCESS(Status)) || !UnicodeString)
  256. {
  257. NtLmFree(TemporaryString.Buffer);
  258. }
  259. }
  261. return Status;
  262. }
  264. //+-------------------------------------------------------------------------
  265. //
  266. // Function: SspAllocate
  267. //
  268. // Synopsis: Copies a string from the client and if necessary converts
  269. // from ansi to unicode
  270. //
  271. // Effects: allocates output with either KerbAllocate (unicode)
  272. // or RtlAnsiStringToUnicodeString
  273. //
  274. // Arguments: StringPointer - address of string in client process
  275. // StringLength - Lenght (in characters) of string
  276. // AnsiString - if TRUE, string is ansi
  277. // LocalString - receives allocated string
  278. //
  279. // Requires:
  280. //
  281. // Returns:
  282. //
  283. // Notes:
  284. //
  285. //
  286. //--------------------------------------------------------------------------
  288. NTSTATUS
  289. SspCopyAuthorizationData(IN PVOID AuthorizationData,
  290. IN OUT PBOOLEAN NullSession)
  291. {
  293. PSEC_WINNT_AUTH_IDENTITY_EXW pAuthIdentityEx = NULL;
  294. BOOLEAN UnicodeString = TRUE;
  296. // Init out parameters
  297. *NullSession = FALSE;
  300. if (NULL == AuthorizationData)
  301. {
  302. return STATUS_SUCCESS;
  303. }
  305. pAuthIdentity = (PSEC_WINNT_AUTH_IDENTITY_EXW)
  306. SspAllocate(sizeof(SEC_WINNT_AUTH_IDENTITY_EXW));
  308. if (NULL != pAuthIdentity)
  309. {
  310. Status = LsaFunctions->CopyFromClientBuffer(
  311. NULL,
  312. sizeof(SEC_WINNT_AUTH_IDENTITY),
  313. pAuthIdentityEx,
  314. AuthorizationData
  315. );
  317. if (!NT_SUCCESS(Status))
  318. {
  319. DebugLog((DEB_ERROR,"Fail: LsaFunctions->CopyFromClientBuffer is 0x%lx\n", Status));
  320. goto Cleanup;
  321. }
  323. } else {
  325. Status = STATUS_NO_MEMORY;
  326. DebugLog((DEB_ERROR, "Fail: Alloc in SspCopyAuthData\n");
  327. goto Cleanup;
  328. }
  330. //
  331. // Do we have an EX version?
  332. //
  333. if (pAuthIdentityEx->Version == SEC_WINNT_AUTH_IDENTITY_VERSION)
  334. {
  335. Status = LsaFunctions->CopyFromClientBuffer(
  336. NULL,
  337. sizeof(SEC_WINNT_AUTH_IDENTITY_EXW),
  338. pAuthIdentityEx,
  339. AuthorizationData
  340. );
  342. if (!NT_SUCCESS(Status))
  343. {
  344. DebugLog((DEB_ERROR,"Fail: Error from LsaFunctions->CopyFromClientBuffer 0x%lx\n", Status));
  345. goto Cleanup;
  346. }
  347. pAuthIdentity = (PSEC_WINNT_AUTH_IDENTITY) &pAuthIdentityEx->User;
  348. CredSize = pAuthIdentityEx->Length;
  349. Offset = FIELD_OFFSET(SEC_WINNT_AUTH_IDENTITY_EXW, User);
  350. }
  351. else
  352. {
  353. pAuthIdentity = (PSEC_WINNT_AUTH_IDENTITY_W) pAuthIdentityEx;
  354. CredSize = sizeof(SEC_WINNT_AUTH_IDENTITY_W);
  355. }
  357. if ((pAuthIdentity->Flags & SEC_WINNT_AUTH_IDENTITY_ANSI) != 0)
  358. {
  359. DoUnicode = FALSE;
  360. //
  361. // Turn off the marshalled flag because we don't support marshalling
  362. // with ansi.
  363. //
  365. pAuthIdentity->Flags &= ~SEC_WINNT_AUTH_IDENTITY_MARSHALLED;
  366. }
  367. else if ((pAuthIdentity->Flags & SEC_WINNT_AUTH_IDENTITY_UNICODE) == 0)
  368. {
  369. Status = SEC_E_INVALID_TOKEN;
  370. SspPrint((SSP_CRITICAL,"SpAcquireCredentialsHandle, Error from pAuthIdentity->Flags is 0x%lx\n", pAuthIdentity->Flags));
  371. goto Cleanup;
  372. }
  374. //
  375. // For NTLM, we've got to verify that this is indeed a NULL session
  376. //
  377. if ((pAuthIdentity->UserLength == 0) &&
  378. (pAuthIdentity->DomainLength == 0) &&
  379. (pAuthIdentity->PasswordLength == 0) &&
  380. (pAuthIdentity->User != NULL) &&
  381. (pAuthIdentity->Domain != NULL) &&
  382. (pAuthIdentity->Password != NULL))
  383. {
  384. *NullSession = TRUE;
  385. }
  387. //
  388. // Copy over marshalled data
  389. //
  390. if((pAuthIdentity->Flags & SEC_WINNT_AUTH_IDENTITY_MARSHALLED) != 0 )
  391. {
  392. ULONG TmpCredentialSize;
  393. ULONG_PTR EndOfCreds;
  394. ULONG_PTR TmpUser;
  395. ULONG_PTR TmpDomain;
  396. ULONG_PTR TmpPassword;
  398. if( pAuthIdentity->UserLength > UNLEN ||
  399. pAuthIdentity->PasswordLength > PWLEN ||
  400. pAuthIdentity->DomainLength > DNS_MAX_NAME_LENGTH ) {
  402. SspPrint((SSP_CRITICAL,"Supplied credentials illegal length.\n"));
  403. Status = STATUS_INVALID_PARAMETER;
  404. goto Cleanup;
  405. }
  407. //
  408. // The callers can set the length of field to n chars, but they
  409. // will really occupy n+1 chars (null-terminator).
  410. //
  412. TmpCredentialSize = CredSize +
  413. ( pAuthIdentity->UserLength +
  414. pAuthIdentity->DomainLength +
  415. pAuthIdentity->PasswordLength +
  416. (((pAuthIdentity->User != NULL) ? 1 : 0) +
  417. ((pAuthIdentity->Domain != NULL) ? 1 : 0) +
  418. ((pAuthIdentity->Password != NULL) ? 1 : 0)) ) * sizeof(WCHAR);
  420. EndOfCreds = (ULONG_PTR) AuthorizationData + TmpCredentialSize;
  422. //
  423. // Verify that all the offsets are valid and no overflow will happen
  424. //
  426. TmpUser = (ULONG_PTR) pAuthIdentity->User;
  428. if ((TmpUser != NULL) &&
  429. ( (TmpUser < (ULONG_PTR) AuthorizationData) ||
  430. (TmpUser > EndOfCreds) ||
  431. ((TmpUser + (pAuthIdentity->UserLength) * sizeof(WCHAR)) > EndOfCreds ) ||
  432. ((TmpUser + (pAuthIdentity->UserLength * sizeof(WCHAR))) < TmpUser)))
  433. {
  434. SspPrint((SSP_CRITICAL,"Username in supplied credentials has invalid pointer or length.\n"));
  435. Status = STATUS_INVALID_PARAMETER;
  436. goto Cleanup;
  437. }
  439. TmpDomain = (ULONG_PTR) pAuthIdentity->Domain;
  441. if ((TmpDomain != NULL) &&
  442. ( (TmpDomain < (ULONG_PTR) AuthorizationData) ||
  443. (TmpDomain > EndOfCreds) ||
  444. ((TmpDomain + (pAuthIdentity->DomainLength) * sizeof(WCHAR)) > EndOfCreds ) ||
  445. ((TmpDomain + (pAuthIdentity->DomainLength * sizeof(WCHAR))) < TmpDomain)))
  446. {
  447. SspPrint((SSP_CRITICAL,"Domainname in supplied credentials has invalid pointer or length.\n"));
  448. Status = STATUS_INVALID_PARAMETER;
  449. goto Cleanup;
  450. }
  452. TmpPassword = (ULONG_PTR) pAuthIdentity->Password;
  454. if ((TmpPassword != NULL) &&
  455. ( (TmpPassword < (ULONG_PTR) AuthorizationData) ||
  456. (TmpPassword > EndOfCreds) ||
  457. ((TmpPassword + (pAuthIdentity->PasswordLength) * sizeof(WCHAR)) > EndOfCreds ) ||
  458. ((TmpPassword + (pAuthIdentity->PasswordLength * sizeof(WCHAR))) < TmpPassword)))
  459. {
  460. SspPrint((SSP_CRITICAL,"Password in supplied credentials has invalid pointer or length.\n"));
  461. Status = STATUS_INVALID_PARAMETER;
  462. goto Cleanup;
  463. }
  465. //
  466. // Allocate a chunk of memory for the credentials
  467. //
  469. TmpCredentials = (PSEC_WINNT_AUTH_IDENTITY_W) NtLmAllocate(TmpCredentialSize - Offset);
  470. if (TmpCredentials == NULL)
  471. {
  472. Status = STATUS_INSUFFICIENT_RESOURCES;
  473. goto Cleanup;
  474. }
  476. //
  477. // Copy the credentials from the client
  478. //
  480. Status = LsaFunctions->CopyFromClientBuffer(
  481. NULL,
  482. TmpCredentialSize - Offset,
  483. TmpCredentials,
  484. (PUCHAR) AuthorizationData + Offset
  485. );
  486. if (!NT_SUCCESS(Status))
  487. {
  488. SspPrint((SSP_CRITICAL,"Failed to copy whole auth identity\n"));
  489. goto Cleanup;
  490. }
  492. //
  493. // Now convert all the offsets to pointers.
  494. //
  496. if (TmpCredentials->User != NULL)
  497. {
  498. USHORT cbUser;
  500. TmpCredentials->User = (LPWSTR) RtlOffsetToPointer(
  501. TmpCredentials->User,
  502. (PUCHAR) TmpCredentials - (PUCHAR) AuthorizationData - Offset
  503. );
  505. ASSERT( (TmpCredentials->UserLength*sizeof(WCHAR)) <= 0xFFFF );
  507. cbUser = (USHORT)(TmpCredentials->UserLength * sizeof(WCHAR));
  508. UserName.Buffer = (PWSTR)NtLmAllocate( cbUser );
  510. if (UserName.Buffer == NULL ) {
  511. Status = STATUS_INSUFFICIENT_RESOURCES;
  512. goto Cleanup;
  513. }
  515. CopyMemory( UserName.Buffer, TmpCredentials->User, cbUser );
  516. UserName.Length = cbUser;
  517. UserName.MaximumLength = cbUser;
  518. }
  520. if (TmpCredentials->Domain != NULL)
  521. {
  522. USHORT cbDomain;
  524. TmpCredentials->Domain = (LPWSTR) RtlOffsetToPointer(
  525. TmpCredentials->Domain,
  526. (PUCHAR) TmpCredentials - (PUCHAR) AuthorizationData - Offset
  527. );
  529. ASSERT( (TmpCredentials->DomainLength*sizeof(WCHAR)) <= 0xFFFF );
  530. cbDomain = (USHORT)(TmpCredentials->DomainLength * sizeof(WCHAR));
  531. DomainName.Buffer = (PWSTR)NtLmAllocate( cbDomain );
  533. if (DomainName.Buffer == NULL ) {
  534. Status = STATUS_INSUFFICIENT_RESOURCES;
  535. goto Cleanup;
  536. }
  538. CopyMemory( DomainName.Buffer, TmpCredentials->Domain, cbDomain );
  539. DomainName.Length = cbDomain;
  540. DomainName.MaximumLength = cbDomain;
  541. }
  543. if (TmpCredentials->Password != NULL)
  544. {
  545. USHORT cbPassword;
  547. TmpCredentials->Password = (LPWSTR) RtlOffsetToPointer(
  548. TmpCredentials->Password,
  549. (PUCHAR) TmpCredentials - (PUCHAR) AuthorizationData - Offset
  550. );
  553. ASSERT( (TmpCredentials->PasswordLength*sizeof(WCHAR)) <= 0xFFFF );
  554. cbPassword = (USHORT)(TmpCredentials->PasswordLength * sizeof(WCHAR));
  555. Password.Buffer = (PWSTR)NtLmAllocate( cbPassword );
  557. if (Password.Buffer == NULL ) {
  558. ZeroMemory( TmpCredentials->Password, cbPassword );
  559. Status = STATUS_INSUFFICIENT_RESOURCES;
  560. goto Cleanup;
  561. }
  563. CopyMemory( Password.Buffer, TmpCredentials->Password, cbPassword );
  564. Password.Length = cbPassword;
  565. Password.MaximumLength = cbPassword;
  567. ZeroMemory( TmpCredentials->Password, cbPassword );
  568. }
  571. }
  572. //
  573. // Data was *not* marshalled, copy strings individually
  574. //
  575. else
  576. {
  577. if (pAuthIdentity->Password != NULL)
  578. {
  579. Status = SspCopyClientString(
  580. pAuthIdentity->Password,
  581. pAuthIdentity->PasswordLength,
  582. UnicodeString,
  583. &Password
  584. );
  585. if (!NT_SUCCESS(Status))
  586. {
  587. DebugLog((DEB_ERROR,"SpAcquireCredentialsHandle, Error from CopyClientString is 0x%lx\n", Status));
  588. goto Cleanup;
  589. }
  591. }
  593. if (pAuthIdentity->User != NULL)
  594. {
  595. Status = SspCopyClientString(
  596. pAuthIdentity->User,
  597. pAuthIdentity->UserLength,
  598. UnicodeString,
  599. &UserName
  600. );
  601. if (!NT_SUCCESS(Status))
  602. {
  603. DebugLog((DEB_ERROR, "SpAcquireCredentialsHandle, Error from CopyClientString is 0x%lx\n", Status));
  604. goto Cleanup;
  605. }
  607. }
  609. if (pAuthIdentity->Domain != NULL)
  610. {
  611. Status = SspCopyClientString(
  612. pAuthIdentity->Domain,
  613. pAuthIdentity->DomainLength,
  614. UnicodeString,
  615. &DomainName
  616. );
  617. if (!NT_SUCCESS(Status))
  618. {
  619. DebugLog((DEB_ERROR, "SpAcquireCredentialsHandle, Error from CopyClientString is 0x%lx\n", Status));
  620. goto Cleanup;
  621. }
  623. //
  624. // Make sure that the domain name length is not greater
  625. // than the allowed dns domain name
  626. //
  627. if (DomainName.Length > DNS_MAX_NAME_LENGTH * sizeof(WCHAR))
  628. {
  629. DebugLog((DEB_ERROR, "SpAcquireCredentialsHandle: Invalid supplied domain name %wZ\n",
  630. &DomainName ));
  631. Status = SEC_E_UNKNOWN_CREDENTIALS;
  632. goto Cleanup;
  633. }
  635. }
  636. }
  672. }
  693. }