Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

1366 lines
32 KiB

  1. /*++
  2. Copyright (c) 1993 Microsoft Corporation
  3. Module Name:
  4. context.cxx
  5. Abstract:
  6. API and support routines for handling security contexts.
  7. Author:
  8. Cliff Van Dyke (CliffV) 13-Jul-1993
  9. Revision History:
  10. ChandanS 03-Aug-1996 Stolen from net\svcdlls\ntlmssp\common\context.c
  11. --*/
  12. //
  13. // Common include files.
  14. //
  15. #include <global.h>
  16. #include <align.h> // ALIGN_WCHAR, etc
  17. #include <lm.h>
  18. #include <dsgetdc.h>
  19. SECURITY_STATUS
  20. SspContextReferenceContext(
  21. IN ULONG_PTR ContextHandle,
  22. IN BOOLEAN RemoveContext,
  23. OUT PSSP_CONTEXT *ContextResult
  24. )
  25. /*++
  26. Routine Description:
  27. This routine checks to see if the Context is for the specified
  28. Client Connection, and references the Context if it is valid.
  29. The caller may optionally request that the Context be
  30. removed from the list of valid Contexts - preventing future
  31. requests from finding this Context.
  32. Arguments:
  33. ContextHandle - Points to the ContextHandle of the Context
  34. to be referenced.
  35. RemoveContext - This boolean value indicates whether the caller
  36. wants the Context to be removed from the list
  37. of Contexts. TRUE indicates the Context is to be removed.
  38. FALSE indicates the Context is not to be removed.
  39. ContextResult set to result context handle if successful.
  40. Return Value:
  41. SEC_E_OK returns a pointer to the referenced Context.
  42. SEC_E_INVALID_HANDLE - invalid handle supplied
  43. SEC_E_CONTEXT_EXPIRED - handle was valid, but expired
  44. --*/
  45. {
  46. PLIST_ENTRY ListEntry;
  47. PSSP_CONTEXT Context;
  48. SspPrint(( SSP_API_MORE, "Entering SspContextReferenceContext\n" ));
  49. *ContextResult = NULL;
  50. #if DBG
  51. //
  52. // check for leaky client applications.
  53. //
  54. SECPKG_CALL_INFO CallInfo;
  55. if( LsaFunctions->GetCallInfo(&CallInfo) )
  56. {
  57. if ((CallInfo.Attributes & SECPKG_CALL_CLEANUP) != 0)
  58. {
  59. SspPrint(( SSP_LEAK_TRACK, "SspContextReferenceContext: pid: 0x%lx handle: %p refcount: %lu\n",
  60. CallInfo.ProcessId, ContextHandle, CallInfo.CallCount));
  61. }
  62. }
  63. #endif
  64. Context = (PSSP_CONTEXT)ContextHandle;
  65. __try {
  66. if( (Context->ContextTag != SSP_CONTEXT_TAG_ACTIVE) )
  67. {
  68. SspPrint(( SSP_CRITICAL, "Tried to reference unknown Context %p\n",
  69. Context ));
  70. return SEC_E_INVALID_HANDLE;
  71. }
  72. #if 0
  73. ASSERT( (KernelCaller == Context->KernelClient) );
  74. #endif
  75. if (!RemoveContext)
  76. {
  77. if (SspTimeHasElapsed( Context->StartTime, Context->Interval))
  78. {
  79. if ((Context->State != AuthenticatedState) &&
  80. (Context->State != AuthenticateSentState) &&
  81. (Context->State != PassedToServiceState))
  82. {
  83. SspPrint(( SSP_CRITICAL, "Context %p has timed out.\n",
  84. ContextHandle ));
  85. return SEC_E_CONTEXT_EXPIRED;
  86. }
  87. }
  88. InterlockedIncrement( (PLONG)&Context->References );
  89. }
  90. else
  91. {
  92. Context->ContextTag = SSP_CONTEXT_TAG_DELETE;
  93. SspPrint(( SSP_API_MORE, "Delinked Context %p\n", Context ));
  94. }
  95. } __except (EXCEPTION_EXECUTE_HANDLER)
  96. {
  97. SspPrint(( SSP_CRITICAL, "Tried to reference invalid Context %p\n",
  98. Context ));
  99. return SEC_E_INVALID_HANDLE;
  100. }
  101. *ContextResult = Context;
  102. return SEC_E_OK;
  103. }
  104. VOID
  105. SspContextDereferenceContext(
  106. PSSP_CONTEXT Context
  107. )
  108. /*++
  109. Routine Description:
  110. This routine decrements the specified Context's reference count.
  111. If the reference count drops to zero, then the Context is deleted
  112. Arguments:
  113. Context - Points to the Context to be dereferenced.
  114. Return Value:
  115. None.
  116. --*/
  117. {
  118. LONG References;
  119. SspPrint(( SSP_API_MORE, "Entering SspContextDereferenceContext\n" ));
  120. //
  121. // Decrement the reference count
  122. //
  123. References = InterlockedDecrement( (PLONG)&Context->References );
  124. ASSERT( References >= 0 );
  125. //
  126. // If the count dropped to zero, then run-down the Context
  127. //
  128. if (References != 0)
  129. {
  130. return;
  131. }
  132. SspPrint(( SSP_API_MORE, "Deleting Context 0x%lx\n",
  133. Context ));
  134. Context->ContextTag = SSP_CONTEXT_TAG_DELETE;
  135. if ( Context->Password.Buffer != NULL ) {
  136. // note: Password.Length may contain run-encoding hint, so size may be illegal.
  137. ZeroMemory( Context->Password.Buffer, Context->Password.MaximumLength );
  138. (VOID) NtLmFree( Context->Password.Buffer );
  139. }
  140. if ( Context->DomainName.Buffer != NULL ) {
  141. (VOID) NtLmFree( Context->DomainName.Buffer );
  142. }
  143. if ( Context->UserName.Buffer != NULL ) {
  144. (VOID) NtLmFree( Context->UserName.Buffer );
  145. }
  146. if( Context->TargetInfo != NULL )
  147. {
  148. //
  149. // CredUnmarshallTargetInfo uses LocalAlloc()
  150. //
  151. LocalFree( Context->TargetInfo );
  152. }
  153. if ( Context->TokenHandle != NULL ) {
  154. NTSTATUS IgnoreStatus;
  155. IgnoreStatus = NtClose( Context->TokenHandle );
  156. ASSERT( NT_SUCCESS(IgnoreStatus) );
  157. }
  158. if( Context->pbMarshalledTargetInfo )
  159. {
  160. LocalFree( Context->pbMarshalledTargetInfo );
  161. }
  162. if (Context->Credential != NULL) {
  163. SspCredentialDereferenceCredential( Context->Credential );
  164. }
  165. ZeroMemory( Context, sizeof(SSP_CONTEXT) );
  166. (VOID) NtLmFree( Context );
  167. return;
  168. }
  169. PSSP_CONTEXT
  170. SspContextAllocateContext(
  171. VOID
  172. )
  173. /*++
  174. Routine Description:
  175. This routine allocates the security context block, initializes it and
  176. links it onto the specified credential.
  177. Arguments: None
  178. Return Value:
  179. NULL -- Not enough memory to allocate context.
  180. otherwise -- pointer to allocated and referenced context.
  181. --*/
  182. {
  183. SspPrint(( SSP_API_MORE, "Entering SspContextAllocateContext\n" ));
  184. PSSP_CONTEXT Context;
  185. SECPKG_CALL_INFO CallInfo;
  186. //
  187. // Allocate a Context block and initialize it.
  188. //
  189. Context = (PSSP_CONTEXT)NtLmAllocate(sizeof(SSP_CONTEXT) );
  190. if ( Context == NULL ) {
  191. SspPrint(( SSP_CRITICAL, "SspContextAllocateContext: Error allocating Context.\n" ));
  192. return NULL;
  193. }
  194. ZeroMemory( Context, sizeof(SSP_CONTEXT) );
  195. if( LsaFunctions->GetCallInfo(&CallInfo) ) {
  196. Context->ClientProcessID = CallInfo.ProcessId;
  197. Context->KernelClient = ((CallInfo.Attributes & SECPKG_CALL_KERNEL_MODE) != 0);
  198. }
  199. //
  200. // The reference count is set to 2. 1 to indicate it is on the
  201. // valid Context list, and one for the our own reference.
  202. //
  203. Context->References = 2;
  204. Context->State = IdleState;
  205. //
  206. // Timeout this context.
  207. //
  208. (VOID) NtQuerySystemTime( &Context->StartTime );
  209. Context->Interval = NTLMSSP_MAX_LIFETIME;
  210. //
  211. // Add it to the list of valid Context handles.
  212. //
  213. Context->ContextTag = SSP_CONTEXT_TAG_ACTIVE;
  214. SspPrint(( SSP_API_MORE, "Added Context 0x%lx\n", Context ));
  215. SspPrint(( SSP_API_MORE, "Leaving SspContextAllocateContext\n" ));
  216. return Context;
  217. }
  218. NTSTATUS
  219. SspContextGetMessage(
  220. IN PVOID InputMessage,
  221. IN ULONG InputMessageSize,
  222. IN NTLM_MESSAGE_TYPE ExpectedMessageType,
  223. OUT PVOID* OutputMessage
  224. )
  225. /*++
  226. Routine Description:
  227. This routine copies the InputMessage into the local address space.
  228. This routine then validates the message header.
  229. Arguments:
  230. InputMessage - Address of the message in the client process.
  231. InputMessageSize - Size of the message (in bytes).
  232. ExpectedMessageType - The type of message the should be in the message
  233. header.
  234. OutputMessage - Returns a pointer to an allocated buffer that contains
  235. the message. The buffer should be freed using NtLmFree.
  236. Return Value:
  237. STATUS_SUCCESS - Call completed successfully
  238. SEC_E_INVALID_TOKEN -- Message improperly formatted
  239. SEC_E_INSUFFICIENT_MEMORY -- Not enough memory to allocate message
  240. --*/
  241. {
  242. NTSTATUS Status = STATUS_SUCCESS;
  243. PNEGOTIATE_MESSAGE TypicalMessage = NULL;
  244. //
  245. // Allocate a local buffer for the message.
  246. //
  247. ASSERT( NTLMSP_MAX_TOKEN_SIZE >= NTLMSSP_MAX_MESSAGE_SIZE );
  248. if ( InputMessageSize > NTLMSSP_MAX_MESSAGE_SIZE ) {
  249. Status = SEC_E_INVALID_TOKEN;
  250. SspPrint(( SSP_CRITICAL, "SspContextGetMessage, invalid input message size.\n" ));
  251. goto Cleanup;
  252. }
  253. TypicalMessage = (PNEGOTIATE_MESSAGE)NtLmAllocate(InputMessageSize );
  254. if ( TypicalMessage == NULL ) {
  255. Status = STATUS_NO_MEMORY;
  256. SspPrint(( SSP_CRITICAL, "SspContextGetMessage: Error allocating TypicalMessage.\n" ));
  257. goto Cleanup;
  258. }
  259. //
  260. // Copy the message into the buffer
  261. //
  262. RtlCopyMemory( TypicalMessage,
  263. InputMessage,
  264. InputMessageSize );
  265. //
  266. // Validate the message header.
  267. //
  268. if ( strncmp( (const char *)TypicalMessage->Signature,
  269. NTLMSSP_SIGNATURE,
  270. sizeof(NTLMSSP_SIGNATURE)) != 0 ||
  271. TypicalMessage->MessageType != ExpectedMessageType ) {
  272. (VOID) NtLmFree( TypicalMessage );
  273. TypicalMessage = NULL;
  274. Status = SEC_E_INVALID_TOKEN;
  275. SspPrint(( SSP_CRITICAL, "SspContextGetMessage, Bogus Message.\n" ));
  276. goto Cleanup;
  277. }
  278. Cleanup:
  279. *OutputMessage = TypicalMessage;
  280. return Status;
  281. }
  282. VOID
  283. SspContextCopyString(
  284. IN PVOID MessageBuffer,
  285. OUT PSTRING32 OutString,
  286. IN PSTRING InString,
  287. IN OUT PCHAR *Where
  288. )
  289. /*++
  290. Routine Description:
  291. This routine copies the InString into the MessageBuffer at Where.
  292. It then updates OutString to be a descriptor for the copied string. The
  293. descriptor 'address' is an offset from the MessageBuffer.
  294. Where is updated to point to the next available space in the MessageBuffer.
  295. The caller is responsible for any alignment requirements and for ensuring
  296. there is room in the buffer for the string.
  297. Arguments:
  298. MessageBuffer - Specifies the base address of the buffer being copied into.
  299. OutString - Returns a descriptor for the copied string. The descriptor
  300. is relative to the begining of the buffer.
  301. InString - Specifies the string to copy.
  302. Where - On input, points to where the string is to be copied.
  303. On output, points to the first byte after the string.
  304. Return Value:
  305. None.
  306. --*/
  307. {
  308. //
  309. // Copy the data to the Buffer.
  310. //
  311. if ( InString->Buffer != NULL ) {
  312. RtlCopyMemory( *Where, InString->Buffer, InString->Length );
  313. }
  314. //
  315. // Build a descriptor to the newly copied data.
  316. //
  317. OutString->Length = OutString->MaximumLength = InString->Length;
  318. OutString->Buffer = (ULONG)(*Where - ((PCHAR)MessageBuffer));
  319. //
  320. // Update Where to point past the copied data.
  321. //
  322. *Where += InString->Length;
  323. }
  324. VOID
  325. SspContextCopyStringAbsolute(
  326. IN PVOID MessageBuffer,
  327. OUT PSTRING OutString,
  328. IN PSTRING InString,
  329. IN OUT PCHAR *Where
  330. )
  331. /*++
  332. Routine Description:
  333. This routine copies the InString into the MessageBuffer at Where.
  334. It then updates OutString to be a descriptor for the copied string.
  335. Where is updated to point to the next available space in the MessageBuffer.
  336. The caller is responsible for any alignment requirements and for ensuring
  337. there is room in the buffer for the string.
  338. Arguments:
  339. MessageBuffer - Specifies the base address of the buffer being copied into.
  340. OutString - Returns a descriptor for the copied string. The descriptor
  341. is relative to the begining of the buffer.
  342. InString - Specifies the string to copy.
  343. Where - On input, points to where the string is to be copied.
  344. On output, points to the first byte after the string.
  345. Return Value:
  346. None.
  347. --*/
  348. {
  349. //
  350. // Copy the data to the Buffer.
  351. //
  352. if ( InString->Buffer != NULL ) {
  353. RtlCopyMemory( *Where, InString->Buffer, InString->Length );
  354. }
  355. //
  356. // Build a descriptor to the newly copied data.
  357. //
  358. OutString->Length = OutString->MaximumLength = InString->Length;
  359. OutString->Buffer = *Where;
  360. //
  361. // Update Where to point past the copied data.
  362. //
  363. *Where += InString->Length;
  364. }
  365. BOOLEAN
  366. SspConvertRelativeToAbsolute (
  367. IN PVOID MessageBase,
  368. IN ULONG MessageSize,
  369. IN PSTRING32 StringToRelocate,
  370. IN PSTRING OutputString,
  371. IN BOOLEAN AlignToWchar,
  372. IN BOOLEAN AllowNullString
  373. )
  374. /*++
  375. Routine Description:
  376. Convert a Relative string desriptor to be absolute.
  377. Perform all boudary condition testing.
  378. Arguments:
  379. MessageBase - a pointer to the base of the buffer that the string
  380. is relative to. The MaximumLength field of the descriptor is
  381. forced to be the same as the Length field.
  382. MessageSize - Size of the message buffer (in bytes).
  383. StringToRelocate - A pointer to the string descriptor to make absolute.
  384. AlignToWchar - If TRUE the passed in StringToRelocate must describe
  385. a buffer that is WCHAR aligned. If not, an error is returned.
  386. AllowNullString - If TRUE, the passed in StringToRelocate may be
  387. a zero length string.
  388. Return Value:
  389. TRUE - The string descriptor is valid and was properly relocated.
  390. --*/
  391. {
  392. ULONG_PTR Offset;
  393. //
  394. // If the buffer is allowed to be null,
  395. // check that special case.
  396. //
  397. if ( AllowNullString ) {
  398. if ( StringToRelocate->Length == 0 ) {
  399. OutputString->MaximumLength = OutputString->Length = StringToRelocate->Length;
  400. OutputString->Buffer = NULL;
  401. return TRUE;
  402. }
  403. }
  404. //
  405. // Ensure the string in entirely within the message.
  406. //
  407. Offset = (ULONG_PTR) StringToRelocate->Buffer;
  408. if ( Offset >= MessageSize ||
  409. Offset + StringToRelocate->Length > MessageSize ) {
  410. return FALSE;
  411. }
  412. //
  413. // Ensure the buffer is properly aligned.
  414. //
  415. if ( AlignToWchar ) {
  416. if ( !COUNT_IS_ALIGNED( Offset, ALIGN_WCHAR) ||
  417. !COUNT_IS_ALIGNED( StringToRelocate->Length, ALIGN_WCHAR) ) {
  418. return FALSE;
  419. }
  420. }
  421. //
  422. // Finally make the pointer absolute.
  423. //
  424. OutputString->Buffer = (((PCHAR)MessageBase) + Offset);
  425. OutputString->MaximumLength = OutputString->Length = StringToRelocate->Length ;
  426. return TRUE;
  427. }
  428. TimeStamp
  429. SspContextGetTimeStamp(
  430. IN PSSP_CONTEXT Context,
  431. IN BOOLEAN GetExpirationTime
  432. )
  433. /*++
  434. Routine Description:
  435. Get the Start time or Expiration time for the specified context.
  436. Arguments:
  437. Context - Pointer to the context to query
  438. GetExpirationTime - If TRUE return the expiration time.
  439. Otherwise, return the start time for the context.
  440. Return Value:
  441. Returns the requested time as a local time.
  442. --*/
  443. {
  444. NTSTATUS Status;
  445. LARGE_INTEGER SystemTime;
  446. LARGE_INTEGER LocalTime;
  447. TimeStamp LocalTimeStamp;
  448. //
  449. // Get the requested time in NT system time format.
  450. //
  451. SystemTime = Context->StartTime;
  452. if ( GetExpirationTime ) {
  453. LARGE_INTEGER Interval;
  454. //
  455. // If the time is infinite, return that
  456. //
  457. if ( Context->Interval == INFINITE ) {
  458. return NtLmGlobalForever;
  459. }
  460. //
  461. // Compute the ending time in NT System Time.
  462. //
  463. Interval.QuadPart = Int32x32To64( (LONG) Context->Interval, 10000 );
  464. SystemTime.QuadPart = Interval.QuadPart + SystemTime.QuadPart;
  465. }
  466. //
  467. // Convert the time to local time
  468. //
  469. Status = RtlSystemTimeToLocalTime( &SystemTime, &LocalTime );
  470. if ( !NT_SUCCESS(Status) ) {
  471. return NtLmGlobalForever;
  472. }
  473. LocalTimeStamp.HighPart = LocalTime.HighPart;
  474. LocalTimeStamp.LowPart = LocalTime.LowPart;
  475. return LocalTimeStamp;
  476. }
  477. VOID
  478. SspContextSetTimeStamp(
  479. IN PSSP_CONTEXT Context,
  480. IN LARGE_INTEGER ExpirationTime
  481. )
  482. /*++
  483. Routine Description:
  484. Set the Expiration time for the specified context.
  485. Arguments:
  486. Context - Pointer to the context to change
  487. ExpirationTime - Expiration time to set
  488. Return Value:
  489. NONE.
  490. --*/
  491. {
  492. LARGE_INTEGER BaseGetTickMagicDivisor = { 0xe219652c, 0xd1b71758 };
  493. CCHAR BaseGetTickMagicShiftCount = 13;
  494. LARGE_INTEGER TimeRemaining;
  495. LARGE_INTEGER MillisecondsRemaining;
  496. //
  497. // If the expiration time is infinite,
  498. // so is the interval
  499. //
  500. if ( ExpirationTime.HighPart == 0x7FFFFFFF &&
  501. ExpirationTime.LowPart == 0xFFFFFFFF ) {
  502. Context->Interval = INFINITE;
  503. //
  504. // Handle non-infinite expiration times
  505. //
  506. } else {
  507. //
  508. // Compute the time remaining before the expiration time
  509. //
  510. TimeRemaining.QuadPart = ExpirationTime.QuadPart -
  511. Context->StartTime.QuadPart;
  512. //
  513. // If the time has already expired,
  514. // indicate so.
  515. //
  516. if ( TimeRemaining.QuadPart < 0 ) {
  517. Context->Interval = 0;
  518. //
  519. // If the time hasn't expired, compute the number of milliseconds
  520. // remaining.
  521. //
  522. } else {
  523. MillisecondsRemaining = RtlExtendedMagicDivide(
  524. TimeRemaining,
  525. BaseGetTickMagicDivisor,
  526. BaseGetTickMagicShiftCount );
  527. if ( MillisecondsRemaining.HighPart == 0 &&
  528. MillisecondsRemaining.LowPart < 0x7fffffff ) {
  529. Context->Interval = MillisecondsRemaining.LowPart;
  530. } else {
  531. Context->Interval = INFINITE;
  532. }
  533. }
  534. }
  535. }
  536. NTSTATUS
  537. SsprDeleteSecurityContext (
  538. IN OUT ULONG_PTR ContextHandle
  539. )
  540. /*++
  541. Routine Description:
  542. Deletes the local data structures associated with the specified
  543. security context and generates a token which is passed to a remote peer
  544. so it too can remove the corresponding security context.
  545. This API terminates a context on the local machine, and optionally
  546. provides a token to be sent to the other machine. The OutputToken
  547. generated by this call is to be sent to the remote peer (initiator or
  548. acceptor). If the context was created with the I _REQ_ALLOCATE_MEMORY
  549. flag, then the package will allocate a buffer for the output token.
  550. Otherwise, it is the responsibility of the caller.
  551. Arguments:
  552. ContextHandle - Handle to the context to delete
  553. Return Value:
  554. STATUS_SUCCESS - Call completed successfully
  555. SEC_E_NO_SPM -- Security Support Provider is not running
  556. SEC_E_INVALID_HANDLE -- Credential/Context Handle is invalid
  557. --*/
  558. {
  559. NTSTATUS Status = STATUS_SUCCESS;
  560. PSSP_CONTEXT Context = NULL;
  561. //
  562. // Initialization
  563. //
  564. SspPrint(( SSP_API_MORE, "SspDeleteSecurityContext Entered\n" ));
  565. //
  566. // Find the currently existing context (and delink it).
  567. //
  568. Status = SspContextReferenceContext( ContextHandle, TRUE, &Context );
  569. if ( NT_SUCCESS(Status) )
  570. {
  571. SspContextDereferenceContext( Context );
  572. }
  573. SspPrint(( SSP_API_MORE, "SspDeleteSecurityContext returns 0x%lx\n", Status));
  574. return Status;
  575. }
  576. NTSTATUS
  577. SspContextInitialize(
  578. VOID
  579. )
  580. /*++
  581. Routine Description:
  582. This function initializes this module.
  583. Arguments:
  584. None.
  585. Return Value:
  586. Status of the operation.
  587. --*/
  588. {
  589. return STATUS_SUCCESS;
  590. }
  591. VOID
  592. SspContextTerminate(
  593. VOID
  594. )
  595. /*++
  596. Routine Description:
  597. This function cleans up any dangling Contexts.
  598. Arguments:
  599. None.
  600. Return Value:
  601. Status of the operation.
  602. --*/
  603. {
  604. //
  605. // don't forcibly try to delete contexts during shutdown, as, the
  606. // state of the machine is in flux during shutdown.
  607. //
  608. return;
  609. }
  610. BOOL
  611. SsprCheckMinimumSecurity(
  612. IN ULONG NegotiateFlags,
  613. IN ULONG MinimumSecurityFlags
  614. )
  615. /*++
  616. Routine Description:
  617. Check that minimum security requirements have been met.
  618. Arguments:
  619. NegotiateFlags: requested security features
  620. MinimumSecurityFlags: minimum required features
  621. Return Value:
  622. TRUE if minimum requirements met
  623. FALSE otherwise
  624. Notes:
  625. The MinimumSecurityFlags can contain features that only apply if
  626. a key is needed when doing signing or sealing. These have to be removed
  627. if SIGN or SEAL is not in the NegotiateFlags.
  628. --*/
  629. {
  630. ULONG EffFlags; // flags in effect
  631. EffFlags = MinimumSecurityFlags;
  632. if( (NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) == 0 )
  633. EffFlags &= ~(NTLMSSP_NEGOTIATE_SIGN);
  634. if( (NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) == 0 )
  635. EffFlags &= ~(NTLMSSP_NEGOTIATE_SEAL);
  636. //
  637. // if SIGN or SEAL is not negotiated, then remove all key related
  638. // requirements, since they're not relevant when a key isn't needed
  639. //
  640. if ((NegotiateFlags & (NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL)) == 0)
  641. {
  642. EffFlags &= ~(
  643. NTLMSSP_NEGOTIATE_128 |
  644. NTLMSSP_NEGOTIATE_56 |
  645. NTLMSSP_NEGOTIATE_KEY_EXCH
  646. );
  647. } else if ((NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) == 0) {
  648. //
  649. // If SIGN is negotiated, but SEAL isn't, then remove flags
  650. // that aren't relevant to encryption
  651. //
  652. EffFlags &= ~( NTLMSSP_NEGOTIATE_KEY_EXCH );
  653. }
  654. //
  655. // FYI: flags that can be usefully spec'd even without SIGN or SEAL:
  656. // NTLM2 -- forces stronger authentication
  657. // All other flags should never be set.... and are nuked in initcomn
  658. //
  659. return ((NegotiateFlags & EffFlags) == EffFlags);
  660. }
  661. SECURITY_STATUS
  662. SsprMakeSessionKey(
  663. IN PSSP_CONTEXT Context,
  664. IN PSTRING LmChallengeResponse,
  665. IN UCHAR NtUserSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH], // from the DC or GetChalResp
  666. IN UCHAR LanmanSessionKey[MSV1_0_LANMAN_SESSION_KEY_LENGTH], // from the DC of GetChalResp
  667. IN PSTRING DatagramSessionKey
  668. )
  669. /*++
  670. // SsprMakeSessionKey
  671. // on entry:
  672. // if KEY_EXCH has been negotiated, then
  673. // either Context->SessionKey has a random number to be encrypted
  674. // to be sent to the server, or it has the encrypted session key
  675. // received from the client
  676. // if client, DatagramSessionKey must point to STRING set up to hold 16 byte key,
  677. // but with 0 length.
  678. // else Context->SessionKey and DatagramSessionKey are irrelevant on entry
  679. // on exit:
  680. // Context->SessionKey has the session key to be used for the rest of the session
  681. // if (DatagramSessionKey != NULL) then if KEY_EXCH then it has the encrypted session key
  682. // to send to the server, else it is zero length
  683. //
  684. --*/
  685. {
  686. NTSTATUS Status;
  687. UCHAR LocalSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
  688. // if we don't need to make any keys, just return
  689. // RDR/SRV expect session key but don't ask for it! work-around this...
  690. // if ((Context->NegotiateFlags & (NTLMSSP_NEGOTIATE_SIGN| NTLMSSP_NEGOTIATE_SEAL)) == 0)
  691. // return(SEC_E_OK);
  692. if ((Context->NegotiateFlags & (NTLMSSP_NEGOTIATE_SIGN| NTLMSSP_NEGOTIATE_SEAL)) == 0)
  693. {
  694. RtlCopyMemory(
  695. Context->SessionKey,
  696. NtUserSessionKey,
  697. sizeof(LocalSessionKey)
  698. );
  699. return SEC_E_OK;
  700. }
  701. if (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2)
  702. {
  703. //
  704. // when using NTLM2, LSA gets passed flags that cause
  705. // it to make good session keys -- nothing for us to do
  706. //
  707. RtlCopyMemory(
  708. LocalSessionKey,
  709. NtUserSessionKey,
  710. sizeof(LocalSessionKey)
  711. );
  712. }
  713. else if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_LM_KEY )
  714. {
  715. LM_OWF_PASSWORD LmKey;
  716. LM_RESPONSE LmResponseKey;
  717. BYTE TemporaryResponse[ LM_RESPONSE_LENGTH ];
  718. RtlZeroMemory(
  719. LocalSessionKey,
  720. MSV1_0_USER_SESSION_KEY_LENGTH
  721. );
  722. if (LmChallengeResponse->Length > LM_RESPONSE_LENGTH)
  723. return(SEC_E_UNSUPPORTED_FUNCTION);
  724. ZeroMemory( TemporaryResponse, sizeof(TemporaryResponse) );
  725. CopyMemory( TemporaryResponse, LmChallengeResponse->Buffer, LmChallengeResponse->Length );
  726. //
  727. // The LM session key is made by taking the LM sesion key
  728. // given to us by the LSA, extending it to LM_OWF_LENGTH
  729. // with our salt, and then producing a new challenge-response
  730. // with it and the original challenge response. The key is
  731. // made from the first 8 bytes of the key.
  732. //
  733. RtlCopyMemory( &LmKey,
  734. LanmanSessionKey,
  735. MSV1_0_LANMAN_SESSION_KEY_LENGTH );
  736. memset( (PUCHAR)(&LmKey) + MSV1_0_LANMAN_SESSION_KEY_LENGTH,
  737. NTLMSSP_KEY_SALT,
  738. LM_OWF_PASSWORD_LENGTH - MSV1_0_LANMAN_SESSION_KEY_LENGTH );
  739. Status = RtlCalculateLmResponse(
  740. (PLM_CHALLENGE) TemporaryResponse,
  741. &LmKey,
  742. &LmResponseKey
  743. );
  744. ZeroMemory( TemporaryResponse, sizeof(TemporaryResponse) );
  745. if (!NT_SUCCESS(Status))
  746. return(SspNtStatusToSecStatus(Status, SEC_E_NO_CREDENTIALS));
  747. RtlCopyMemory(
  748. LocalSessionKey,
  749. &LmResponseKey,
  750. MSV1_0_USER_SESSION_KEY_LENGTH
  751. );
  752. } else {
  753. RtlCopyMemory(
  754. LocalSessionKey,
  755. NtUserSessionKey,
  756. MSV1_0_USER_SESSION_KEY_LENGTH
  757. );
  758. }
  759. //
  760. // If we aren't doing key exchange, store the session key in the
  761. // context. Otherwise encrypt the session key to send to the
  762. // server.
  763. //
  764. if (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH) {
  765. struct RC4_KEYSTRUCT Rc4Key;
  766. //
  767. // make a key schedule from the temp key to form key exchange key
  768. //
  769. rc4_key(
  770. &Rc4Key,
  771. MSV1_0_USER_SESSION_KEY_LENGTH,
  772. LocalSessionKey
  773. );
  774. if (DatagramSessionKey == NULL)
  775. {
  776. //
  777. // decrypt what's in Context->SessionKey, leave it there
  778. //
  779. rc4(
  780. &Rc4Key,
  781. MSV1_0_USER_SESSION_KEY_LENGTH,
  782. Context->SessionKey
  783. );
  784. } else {
  785. //
  786. // set the proper length so client will send something (length was 0)
  787. //
  788. DatagramSessionKey->Length =
  789. DatagramSessionKey->MaximumLength =
  790. MSV1_0_USER_SESSION_KEY_LENGTH;
  791. //
  792. // copy randomly generated key to buffer to send to server
  793. //
  794. RtlCopyMemory(
  795. DatagramSessionKey->Buffer,
  796. Context->SessionKey,
  797. MSV1_0_USER_SESSION_KEY_LENGTH
  798. );
  799. //
  800. // encrypt it with the key exchange key
  801. //
  802. rc4(
  803. &Rc4Key,
  804. MSV1_0_USER_SESSION_KEY_LENGTH,
  805. (unsigned char*)DatagramSessionKey->Buffer
  806. );
  807. }
  808. } else {
  809. //
  810. // just make the temp key into the real one
  811. //
  812. RtlCopyMemory(
  813. Context->SessionKey,
  814. LocalSessionKey,
  815. MSV1_0_USER_SESSION_KEY_LENGTH
  816. );
  817. }
  818. return(SEC_E_OK);
  819. }
  820. NTSTATUS
  821. SsprQueryTreeName(
  822. OUT PUNICODE_STRING TreeName
  823. )
  824. {
  825. PDS_DOMAIN_TRUSTSW Trusts = NULL;
  826. ULONG TrustCount ;
  827. ULONG Index;
  828. LPWSTR DnsTreeName = NULL;
  829. DWORD NetStatus;
  830. ZeroMemory( TreeName, sizeof(*TreeName) );
  831. NetStatus = DsEnumerateDomainTrustsW(
  832. NULL,
  833. DS_DOMAIN_PRIMARY | DS_DOMAIN_IN_FOREST,
  834. &Trusts,
  835. &TrustCount
  836. );
  837. if( NetStatus != NO_ERROR )
  838. {
  839. // TODO: Talk to CliffV about failure causes.
  840. // in any event, the failure is not catastrophic.
  841. //
  842. return STATUS_SUCCESS;
  843. }
  844. for(Index = 0 ; Index < TrustCount; Index++)
  845. {
  846. ULONG Attempts; // bound the attempts in the event bogus data comes back.
  847. if( (Trusts[Index].Flags & DS_DOMAIN_PRIMARY) == 0)
  848. {
  849. continue;
  850. }
  851. for( Attempts = 0 ; Index < TrustCount; Attempts++ )
  852. {
  853. if( Attempts > TrustCount )
  854. {
  855. break;
  856. }
  857. if( (Trusts[Index].Flags & DS_DOMAIN_TREE_ROOT) == 0 )
  858. {
  859. Index = Trusts[Index].ParentIndex;
  860. continue;
  861. }
  862. DnsTreeName = Trusts[Index].DnsDomainName;
  863. break;
  864. }
  865. break;
  866. }
  867. if( DnsTreeName )
  868. {
  869. DWORD cchTreeName = lstrlenW( DnsTreeName );
  870. TreeName->Buffer = (PWSTR)NtLmAllocate( cchTreeName*sizeof(WCHAR) );
  871. if( TreeName->Buffer == NULL )
  872. {
  873. return STATUS_INSUFFICIENT_RESOURCES;
  874. }
  875. TreeName->Length = (USHORT)(cchTreeName*sizeof(WCHAR));
  876. TreeName->MaximumLength = TreeName->Length;
  877. RtlCopyMemory( TreeName->Buffer, DnsTreeName, TreeName->Length );
  878. }
  879. NetApiBufferFree( Trusts );
  880. return STATUS_SUCCESS;
  881. }
  882. NTSTATUS
  883. SsprUpdateTargetInfo(
  884. VOID
  885. )
  886. /*++
  887. Update the NtLmGlobalNtLm3TargetInfo buffer based on the current values
  888. of the various global variables.
  889. NOTE: the global lock must be held for exclusive access prior to making
  890. this call!
  891. --*/
  892. {
  893. PMSV1_0_AV_PAIR pAV;
  894. PUNICODE_STRING pDnsTargetName;
  895. PUNICODE_STRING pDnsComputerName;
  896. PUNICODE_STRING pDnsTreeName;
  897. ULONG cbAV;
  898. ULONG AvFlags = 0;
  899. if( NtLmGlobalNtLm3TargetInfo.Buffer != NULL )
  900. {
  901. NtLmFree(NtLmGlobalNtLm3TargetInfo.Buffer);
  902. }
  903. if( NtLmGlobalTargetFlags == NTLMSSP_TARGET_TYPE_DOMAIN ) {
  904. pDnsTargetName = &NtLmGlobalUnicodeDnsDomainNameString;
  905. } else {
  906. pDnsTargetName = &NtLmGlobalUnicodeDnsComputerNameString;
  907. }
  908. pDnsComputerName = &NtLmGlobalUnicodeDnsComputerNameString;
  909. pDnsTreeName = &NtLmGlobalUnicodeDnsTreeName;
  910. cbAV = NtLmGlobalUnicodeTargetName.Length +
  911. NtLmGlobalUnicodeComputerNameString.Length +
  912. pDnsComputerName->Length +
  913. pDnsTargetName->Length +
  914. pDnsTreeName->Length +
  915. sizeof( AvFlags ) +
  916. (sizeof( MSV1_0_AV_PAIR ) * 6) +
  917. sizeof( MSV1_0_AV_PAIR );
  918. NtLmGlobalNtLm3TargetInfo.Buffer = (PWSTR)NtLmAllocate( cbAV );
  919. if( NtLmGlobalNtLm3TargetInfo.Buffer == NULL )
  920. {
  921. SspPrint((SSP_CRITICAL, "SsprUpdateTargetInfo, Error from NtLmAllocate\n"));
  922. return STATUS_INSUFFICIENT_RESOURCES;
  923. }
  924. ZeroMemory( NtLmGlobalNtLm3TargetInfo.Buffer, cbAV );
  925. pAV = MsvpAvlInit( NtLmGlobalNtLm3TargetInfo.Buffer );
  926. MsvpAvlAdd( pAV, MsvAvNbDomainName, &NtLmGlobalUnicodeTargetName, cbAV );
  927. MsvpAvlAdd( pAV, MsvAvNbComputerName, &NtLmGlobalUnicodeComputerNameString, cbAV );
  928. if( pDnsTargetName->Length != 0 && pDnsTargetName->Buffer != NULL )
  929. {
  930. MsvpAvlAdd( pAV, MsvAvDnsDomainName, pDnsTargetName, cbAV );
  931. }
  932. if( pDnsComputerName->Length != 0 && pDnsComputerName->Buffer != NULL )
  933. {
  934. MsvpAvlAdd( pAV, MsvAvDnsComputerName, pDnsComputerName, cbAV );
  935. }
  936. if( pDnsTreeName->Length != 0 && pDnsTreeName->Buffer != NULL )
  937. {
  938. MsvpAvlAdd( pAV, MsvAvDnsTreeName, pDnsTreeName, cbAV );
  939. }
  940. //
  941. // add in AvFlags into TargetInfo, if applicable.
  942. //
  943. if( NtLmGlobalForceGuest )
  944. {
  945. AvFlags |= MSV1_0_AV_FLAG_FORCE_GUEST;
  946. }
  947. if( AvFlags )
  948. {
  949. UNICODE_STRING AvString;
  950. AvString.Buffer = (PWSTR)&AvFlags;
  951. AvString.Length = sizeof( AvFlags );
  952. AvString.MaximumLength = AvString.Length;
  953. MsvpAvlAdd( pAV, MsvAvFlags, &AvString, cbAV );
  954. }
  955. NtLmGlobalNtLm3TargetInfo.Length = (USHORT)MsvpAvlLen( pAV, cbAV );
  956. NtLmGlobalNtLm3TargetInfo.MaximumLength = NtLmGlobalNtLm3TargetInfo.Length;
  957. return STATUS_SUCCESS;
  958. }