archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
9 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 75c48ba87f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '75c48ba87f'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/protocols/schannel/lsa/mapsam.cxx

487 lines
11 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1995.
  5. //
  6. // File: mapsam.cxx
  7. //
  8. // Contents:
  9. //
  10. // Classes:
  11. //
  12. // Functions:
  13. //
  14. // History: 10-17-96 RichardW Created
  15. //
  16. //----------------------------------------------------------------------------
  18. extern "C" {
  20. #include "sslp.h"
  21. #include <crypt.h>
  22. #include <lmcons.h>
  23. #include <ntsam.h>
  24. #include <samrpc.h>
  25. #include <samisrv.h>
  26. #include <lsarpc.h>
  27. #include <lsaisrv.h>
  28. #include <ntmsv1_0.h>
  29. #include <certmap.h>
  30. #include "mapsam.h"
  31. }
  33. #include <pac.hxx>
  40. //+---------------------------------------------------------------------------
  41. //
  42. // Function: SslDuplicateString
  43. //
  44. // Synopsis: Duplicate a unicode string
  45. //
  46. // Arguments: [Dest] --
  47. // [Source] --
  48. //
  49. // History: 10-18-96 RichardW Created
  50. //
  51. // Notes:
  52. //
  53. //----------------------------------------------------------------------------
  54. NTSTATUS
  55. SslDuplicateString(
  56. PUNICODE_STRING Dest,
  57. PUNICODE_STRING Source
  58. )
  59. {
  60. Dest->Buffer = (PWSTR) LocalAlloc( LMEM_FIXED, Source->Length + sizeof(WCHAR) );
  61. if ( Dest->Buffer )
  62. {
  63. Dest->Length = Source->Length ;
  64. Dest->MaximumLength = Source->Length + sizeof(WCHAR) ;
  65. CopyMemory( Dest->Buffer, Source->Buffer, Source->Length );
  66. Dest->Buffer[ Dest->Length / 2 ] = L'\0';
  68. return( STATUS_SUCCESS );
  69. }
  71. return( STATUS_NO_MEMORY );
  72. }
  75. //+-------------------------------------------------------------------------
  76. //
  77. // Function: SslMakeDomainRelativeSid
  78. //
  79. // Synopsis: Given a domain Id and a relative ID create the corresponding
  80. // SID allocated from the LSA heap.
  81. //
  82. // Effects:
  83. //
  84. // Arguments:
  85. //
  86. // DomainId - The template SID to use.
  87. //
  88. // RelativeId - The relative Id to append to the DomainId.
  89. //
  90. // Requires:
  91. //
  92. // Returns: Sid - Returns a pointer to a buffer allocated from the LsaHeap
  93. // containing the resultant Sid.
  94. //
  95. // Notes:
  96. //
  97. //
  98. //--------------------------------------------------------------------------
  99. PSID
  100. SslMakeDomainRelativeSid(
  101. IN PSID DomainId,
  102. IN ULONG RelativeId
  103. )
  105. {
  106. UCHAR DomainIdSubAuthorityCount;
  107. ULONG Size;
  108. PSID Sid;
  110. //
  111. // Allocate a Sid which has one more sub-authority than the domain ID.
  112. //
  114. DomainIdSubAuthorityCount = *(RtlSubAuthorityCountSid( DomainId ));
  115. Size = RtlLengthRequiredSid(DomainIdSubAuthorityCount+1);
  117. if ((Sid = LocalAlloc( LMEM_FIXED, Size )) == NULL ) {
  118. return NULL;
  119. }
  121. //
  122. // Initialize the new SID to have the same inital value as the
  123. // domain ID.
  124. //
  126. if ( !NT_SUCCESS( RtlCopySid( Size, Sid, DomainId ) ) ) {
  127. LocalFree( Sid );
  128. return NULL;
  129. }
  131. //
  132. // Adjust the sub-authority count and
  133. // add the relative Id unique to the newly allocated SID
  134. //
  136. (*(RtlSubAuthorityCountSid( Sid ))) ++;
  137. *RtlSubAuthoritySid( Sid, DomainIdSubAuthorityCount ) = RelativeId;
  140. return Sid;
  141. }
  143. //+-------------------------------------------------------------------------
  144. //
  145. // Function: SslDuplicateSid
  146. //
  147. // Synopsis: Duplicates a SID
  148. //
  149. // Effects: allocates memory with LsaFunctions.AllocateLsaHeap
  150. //
  151. // Arguments: DestinationSid - Receives a copy of the SourceSid
  152. // SourceSid - SID to copy
  153. //
  154. // Requires:
  155. //
  156. // Returns: STATUS_SUCCESS - the copy succeeded
  157. // STATUS_INSUFFICIENT_RESOURCES - the call to allocate memory
  158. // failed
  159. //
  160. // Notes:
  161. //
  162. //
  163. //--------------------------------------------------------------------------
  165. NTSTATUS
  166. SslDuplicateSid(
  167. OUT PSID * DestinationSid,
  168. IN PSID SourceSid
  169. )
  170. {
  171. ULONG SidSize;
  173. DsysAssert(RtlValidSid(SourceSid));
  175. SidSize = RtlLengthSid(SourceSid);
  176. *DestinationSid = (PSID) LocalAlloc( LMEM_FIXED, SidSize );
  177. if (*DestinationSid == NULL)
  178. {
  179. return(STATUS_INSUFFICIENT_RESOURCES);
  180. }
  181. RtlCopyMemory(
  182. *DestinationSid,
  183. SourceSid,
  184. SidSize
  185. );
  186. return(STATUS_SUCCESS);
  187. }
  192. NTSTATUS
  193. SslpGetPacForUser(
  194. IN SAMPR_HANDLE UserHandle,
  195. OUT PPACTYPE * ppPac
  196. )
  197. {
  198. PSAMPR_USER_ALL_INFORMATION UserAll = NULL ;
  199. PSAMPR_USER_INFO_BUFFER UserAllInfo = NULL ;
  200. NTSTATUS Status ;
  201. PPACTYPE pNewPac = NULL ;
  202. PSAMPR_GET_GROUPS_BUFFER GroupsBuffer = NULL ;
  204. *ppPac = NULL ;
  206. Status = pSamrQueryInformationUser(
  207. UserHandle,
  208. UserAllInformation,
  209. &UserAllInfo );
  211. if ( !NT_SUCCESS( Status ) )
  212. {
  213. return( Status );
  214. }
  216. UserAll = &UserAllInfo->All ;
  218. if ( UserAll->UserAccountControl & USER_ACCOUNT_DISABLED )
  219. {
  220. Status = STATUS_ACCOUNT_DISABLED ;
  222. goto GetPac_Cleanup;
  223. }
  225. Status = pSamrGetGroupsForUser(
  226. UserHandle,
  227. &GroupsBuffer );
  229. if ( !NT_SUCCESS( Status ) )
  230. {
  231. goto GetPac_Cleanup ;
  232. }
  234. Status = PAC_Init( UserAll,
  235. GroupsBuffer,
  236. GlobalDomainSid,
  237. &GlobalDomainName,
  238. &GlobalMachineName,
  239. NULL,
  240. ppPac );
  245. GetPac_Cleanup:
  247. if ( UserAllInfo )
  248. {
  249. pSamIFree_SAMPR_USER_INFO_BUFFER( UserAllInfo, UserAllInformation );
  250. }
  252. if ( GroupsBuffer )
  253. {
  254. pSamIFree_SAMPR_GET_GROUPS_BUFFER( GroupsBuffer );
  255. }
  257. return( Status );
  259. }
  264. NTSTATUS
  265. SslGetPacForUser(
  266. IN PUNICODE_STRING AlternateName,
  267. IN BOOL AllowGuest,
  268. OUT PUCHAR * pPacData,
  269. OUT PULONG pPacDataSize
  270. )
  271. {
  273. NTSTATUS Status ;
  274. PVOID UserHandle ;
  276. *pPacData = NULL ;
  277. *pPacDataSize = 0 ;
  279. Status = LsaTable->OpenSamUser( AlternateName,
  280. SecNameAlternateId,
  281. &SslNamePrefix,
  282. AllowGuest,
  283. 0,
  284. &UserHandle );
  286. if ( NT_SUCCESS( Status ) )
  287. {
  288. Status = LsaTable->GetUserAuthData( UserHandle,
  289. pPacData,
  290. pPacDataSize );
  292. (VOID) LsaTable->CloseSamUser( UserHandle );
  293. }
  295. return Status ;
  297. }
  301. NTSTATUS
  302. SslCreateTokenFromPac(
  303. IN PUCHAR MarshalledPac,
  304. IN ULONG MarshalledPacSize,
  305. OUT PLUID NewLogonId,
  306. OUT PHANDLE Token
  307. )
  308. {
  309. PLSA_TOKEN_INFORMATION_V1 TokenInformation = NULL ;
  310. PLSA_TOKEN_INFORMATION_NULL TokenNull = NULL ;
  311. PVOID LsaTokenInformation = NULL ;
  313. LUID LogonId ;
  314. UNICODE_STRING UserName ;
  315. UNICODE_STRING DomainName ;
  316. UNICODE_STRING Workstation ;
  318. NTSTATUS Status ;
  319. NTSTATUS SubStatus ;
  320. HANDLE TokenHandle = NULL ;
  323. RtlInitUnicodeString(
  324. &UserName,
  325. L"Certificate User"
  326. );
  328. RtlInitUnicodeString(
  329. &DomainName,
  330. GlobalDomainName.Buffer
  331. );
  334. //
  335. // Now create the token.
  336. //
  338. LsaTokenInformation = TokenInformation;
  341. //
  342. // Create a logon session.
  343. //
  345. NtAllocateLocallyUniqueId(&LogonId);
  347. Status = LsaTable->CreateLogonSession( &LogonId );
  349. if (!NT_SUCCESS(Status))
  350. {
  351. DebugOut((DEB_ERROR,"Failed to create logon session: 0x%x\n",Status));
  352. goto CreateToken_Cleanup;
  353. }
  355. //
  356. // We would normally pass in the client workstation name when creating
  357. // the token, but this information is not available since the client is
  358. // sitting on the other side of an SSL connection.
  359. //
  361. RtlInitUnicodeString(
  362. &Workstation,
  363. NULL
  364. );
  366. Status = LsaTable->CreateToken(
  367. &LogonId,
  368. &SslSource,
  369. Network,
  370. LsaTokenInformationV1,
  371. LsaTokenInformation,
  372. NULL, // no token groups
  373. &UserName,
  374. &DomainName,
  375. &Workstation,
  376. &TokenHandle,
  377. &SubStatus
  378. );
  381. if (!NT_SUCCESS(Status))
  382. {
  383. DebugOut((DEB_ERROR,"Failed to create token: 0x%x\n",Status));
  384. goto CreateToken_Cleanup;
  385. }
  387. TokenInformation = NULL;
  388. TokenNull = NULL;
  390. if (!NT_SUCCESS(SubStatus))
  391. {
  392. DebugOut((DEB_ERROR,"Failed to create token, substatus = 0x%x\n",SubStatus));
  393. Status = SubStatus;
  394. goto CreateToken_Cleanup;
  395. }
  397. //
  398. // If the caller wanted an identify level token, duplicate the token
  399. // now.
  400. //
  402. #if 0
  403. if ((ContextFlags & ISC_RET_IDENTIFY) != 0)
  404. {
  405. if (!DuplicateTokenEx(
  406. TokenHandle,
  407. TOKEN_ALL_ACCESS,
  408. NULL, // no security attributes
  409. SecurityIdentification,
  410. TokenImpersonation,
  411. &TempTokenHandle
  412. ))
  413. {
  414. DebugOut((DEB_ERROR,"Failed to duplicate token\n"));
  415. DsysAssert(GetLastError() == ERROR_NO_SYSTEM_RESOURCES);
  416. Status = STATUS_INSUFFICIENT_RESOURCES;
  417. goto CreateToken_Cleanup;
  418. }
  419. Status = NtClose(TokenHandle);
  421. DsysAssert(NT_SUCCESS(Status));
  422. TokenHandle = TempTokenHandle;
  423. TempTokenHandle = NULL;
  425. }
  426. #endif
  428. //
  429. // Check the delegation information to see if we need to create
  430. // a logon session for this.
  431. //
  433. *NewLogonId = LogonId;
  434. *Token = TokenHandle;
  436. CreateToken_Cleanup:
  437. if (TokenInformation != NULL)
  438. {
  439. if ( TokenInformation->User.User.Sid != NULL ) {
  440. LocalFree( TokenInformation->User.User.Sid );
  441. }
  443. if ( TokenInformation->Groups != NULL ) {
  444. ULONG i;
  446. for ( i=0; i < TokenInformation->Groups->GroupCount; i++ ) {
  447. LocalFree( TokenInformation->Groups->Groups[i].Sid );
  448. }
  450. LocalFree( TokenInformation->Groups );
  451. }
  453. if ( TokenInformation->PrimaryGroup.PrimaryGroup != NULL ) {
  454. LocalFree( TokenInformation->PrimaryGroup.PrimaryGroup );
  455. }
  457. LocalFree( TokenInformation );
  459. }
  460. if (TokenNull != NULL)
  461. {
  462. LocalFree(TokenNull);
  463. }
  466. if (!NT_SUCCESS(Status))
  467. {
  468. //
  469. // Note: if we have created a token, we don't want to delete
  470. // the logon session here because we will end up dereferencing
  471. // the logon session twice.
  472. //
  474. if (TokenHandle != NULL)
  475. {
  476. NtClose(TokenHandle);
  477. }
  478. else if ((LogonId.LowPart != 0) || (LogonId.HighPart != 0))
  479. {
  480. LsaTable->DeleteLogonSession(&LogonId);
  481. }
  482. }
  484. return(Status);
  485. }