|
|
/*++
Copyright (c) 1993-2000 Microsoft Corporation
Module Name:
ctxtcli.cxx
Abstract:
API and support routines for handling security contexts.
Author:
Cliff Van Dyke (CliffV) 13-Jul-1993
Revision History: ChandanS 03-Aug-1996 Stolen from net\svcdlls\ntlmssp\common\context.c
--*/
//
// Common include files.
//
#include <global.h>
#include <align.h> // ALIGN_WCHAR, etc
#include <credp.h>
#include "nlp.h"
�NTSTATUSSsprHandleFirstCall( IN LSA_SEC_HANDLE CredentialHandle, IN OUT PLSA_SEC_HANDLE ContextHandle, IN ULONG ContextReqFlags, IN ULONG InputTokenSize, IN PVOID InputToken, IN PUNICODE_STRING TargetServerName OPTIONAL, IN OUT PULONG OutputTokenSize, OUT PVOID *OutputToken, OUT PULONG ContextAttributes, OUT PTimeStamp ExpirationTime, OUT PUCHAR SessionKey, OUT PULONG NegotiateFlags )
/*++
Routine Description:
Handle the First Call part of InitializeSecurityContext.
Arguments:
All arguments same as for InitializeSecurityContext
Return Value:
STATUS_SUCCESS -- All OK SEC_I_CONTINUE_NEEDED -- Caller should call again later
SEC_E_INVALID_HANDLE -- Credential/Context Handle is invalid SEC_E_BUFFER_TOO_SMALL -- Buffer for output token isn't big enough SEC_E_INSUFFICIENT_MEMORY -- Not enough memory
--*/
{
SspPrint(( SSP_API_MORE, "Entering SsprHandleFirstCall\n" )); NTSTATUS Status = STATUS_SUCCESS; PSSP_CONTEXT Context = NULL; PSSP_CREDENTIAL Credential = NULL;
PNEGOTIATE_MESSAGE NegotiateMessage = NULL; ULONG NegotiateMessageSize = 0; PCHAR Where = NULL;
ULONG NegotiateFlagsKeyStrength;
STRING NtLmLocalOemComputerNameString; STRING NtLmLocalOemPrimaryDomainNameString;
//
// Initialization
//
*ContextAttributes = 0; *NegotiateFlags = 0;
RtlInitString( &NtLmLocalOemComputerNameString, NULL ); RtlInitString( &NtLmLocalOemPrimaryDomainNameString, NULL );
//
// Get a pointer to the credential
//
Status = SspCredentialReferenceCredential( CredentialHandle, FALSE, &Credential );
if ( !NT_SUCCESS( Status ) ) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: invalid credential handle.\n" )); goto Cleanup; }
if ( (Credential->CredentialUseFlags & SECPKG_CRED_OUTBOUND) == 0 ) { Status = SEC_E_INVALID_CREDENTIAL_USE; SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: invalid credential use.\n" )); goto Cleanup; }
//
// Allocate a new context
//
Context = SspContextAllocateContext( );
if ( Context == NULL) { Status = STATUS_NO_MEMORY; SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: SspContextAllocateContext returned NULL\n")); goto Cleanup; }
//
// Build a handle to the newly created context.
//
*ContextHandle = (LSA_SEC_HANDLE) Context;
//
// We don't support any options.
//
// Complain about those that require we do something.
//
if ( (ContextReqFlags & ISC_REQ_PROMPT_FOR_CREDS) != 0 ) {
Status = SEC_E_INVALID_CONTEXT_REQ; SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: invalid ContextReqFlags 0x%lx.\n", ContextReqFlags )); goto Cleanup; }
//
// Capture the default credentials from the credential structure.
//
if ( Credential->DomainName.Buffer != NULL ) { Status = NtLmDuplicateUnicodeString( &Context->DomainName, &Credential->DomainName ); if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: NtLmDuplicateUnicodeString (DomainName) returned %d\n",Status)); goto Cleanup; } } if ( Credential->UserName.Buffer != NULL ) { Status = NtLmDuplicateUnicodeString( &Context->UserName, &Credential->UserName ); if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: NtLmDuplicateUnicodeString (UserName) returned %d\n", Status )); goto Cleanup; } }
Status = SspCredentialGetPassword( Credential, &Context->Password );
if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: SspCredentialGetPassword returned %d\n", Status )); goto Cleanup; }
//
// save away any marshalled credential info.
//
Status = CredpExtractMarshalledTargetInfo( TargetServerName, &Context->TargetInfo );
if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: CredpExtractMarshalledTargetInfo returned %d\n", Status )); goto Cleanup; }
//
// Compute the negotiate flags
//
//
// Supported key strength(s)
//
NegotiateFlagsKeyStrength = NTLMSSP_NEGOTIATE_56;
if( NtLmSecPkg.MachineState & SECPKG_STATE_STRONG_ENCRYPTION_PERMITTED ) { NegotiateFlagsKeyStrength |= NTLMSSP_NEGOTIATE_128; }
Context->NegotiateFlags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_OEM | NTLMSSP_NEGOTIATE_NTLM |// ((NtLmGlobalLmProtocolSupported != 0)
// ? NTLMSSP_NEGOTIATE_NTLM2 : 0 ) |
NTLMSSP_REQUEST_TARGET | NTLMSSP_NEGOTIATE_ALWAYS_SIGN | NegotiateFlagsKeyStrength;
//
// NTLM2 session security is now the default request!
// allows us to support gss-style seal/unseal for LDAP.
//
Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_NTLM2;
if ((ContextReqFlags & ISC_REQ_CONFIDENTIALITY) != 0) { if (NtLmGlobalEncryptionEnabled) {
//
// CONFIDENTIALITY implies INTEGRITY
//
ContextReqFlags |= ISC_REQ_INTEGRITY;
Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_LM_KEY | NTLMSSP_NEGOTIATE_KEY_EXCH ;
*ContextAttributes |= ISC_RET_CONFIDENTIALITY; Context->ContextFlags |= ISC_RET_CONFIDENTIALITY; } else { Status = STATUS_NOT_SUPPORTED; SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: NtLmGlobalEncryptionEnabled is FALSE\n")); goto Cleanup; } }
//
// If the caller specified INTEGRITY, SEQUENCE_DETECT or REPLAY_DETECT,
// that means they want to use the MakeSignature/VerifySignature
// calls. Add this to the negotiate.
//
if (ContextReqFlags & (ISC_REQ_INTEGRITY | ISC_REQ_SEQUENCE_DETECT | ISC_REQ_REPLAY_DETECT)) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_KEY_EXCH | NTLMSSP_NEGOTIATE_LM_KEY ; }
if ((ContextReqFlags & ISC_REQ_INTEGRITY) != 0) { *ContextAttributes |= ISC_RET_INTEGRITY; Context->ContextFlags |= ISC_RET_INTEGRITY; }
if ((ContextReqFlags & ISC_REQ_SEQUENCE_DETECT) != 0) { *ContextAttributes |= ISC_RET_SEQUENCE_DETECT; Context->ContextFlags |= ISC_RET_SEQUENCE_DETECT; }
if ((ContextReqFlags & ISC_REQ_REPLAY_DETECT) != 0) { *ContextAttributes |= ISC_RET_REPLAY_DETECT; Context->ContextFlags |= ISC_RET_REPLAY_DETECT; }
if ( (ContextReqFlags & ISC_REQ_NULL_SESSION ) != 0) {
*ContextAttributes |= ISC_RET_NULL_SESSION; Context->ContextFlags |= ISC_RET_NULL_SESSION; }
if ( (ContextReqFlags & ISC_REQ_CONNECTION ) != 0) {
*ContextAttributes |= ISC_RET_CONNECTION; Context->ContextFlags |= ISC_RET_CONNECTION; }
//
// Check if the caller wants identify level
//
if ((ContextReqFlags & ISC_REQ_IDENTIFY)!= 0) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_IDENTIFY; *ContextAttributes |= ISC_RET_IDENTIFY; Context->ContextFlags |= ISC_RET_IDENTIFY; }
IF_DEBUG( USE_OEM ) { Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_UNICODE; }
if ( ((ContextReqFlags & ISC_REQ_MUTUAL_AUTH) != 0 ) && (NtLmGlobalMutualAuthLevel < 2 ) ) {
*ContextAttributes |= ISC_RET_MUTUAL_AUTH ;
if ( NtLmGlobalMutualAuthLevel == 0 ) { Context->ContextFlags |= ISC_RET_MUTUAL_AUTH ; }
}
//
// It is important to remove LM_KEY for compat 2 on the first call to ISC
// in the datagram case, but not harmful in the connection case
//
if (NtLmGlobalLmProtocolSupported == NoLm){ Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_LM_KEY; }
//
// For connection oriented security, we send a negotiate message to
// the server. For datagram, we get back the server's
// capabilities in the challenge message.
//
if ((ContextReqFlags & ISC_REQ_DATAGRAM) == 0) {
BOOLEAN CheckForLocal;
if ( (Credential->DomainName.Buffer == NULL && Credential->UserName.Buffer == NULL && Credential->Password.Buffer == NULL ) ) { CheckForLocal = TRUE; } else { CheckForLocal = FALSE; }
if( CheckForLocal ) {
//
// snap up a copy of the globals so we can just take the critsect once.
// the old way took the critsect twice, once to read sizes, second time
// to grab buffers - bad news if the global got bigger in between.
//
RtlAcquireResourceShared(&NtLmGlobalCritSect, TRUE);
if( NtLmGlobalOemComputerNameString.Buffer == NULL || NtLmGlobalOemPrimaryDomainNameString.Buffer == NULL ) {
//
// user has picked a computer name or domain name
// that failed to convert to OEM. disable the loopback
// detection.
// Sometime beyond Win2k, Negotiate package should have
// a general, robust scheme for detecting loopback.
//
CheckForLocal = FALSE;
} else {
Status = NtLmDuplicateString( &NtLmLocalOemComputerNameString, &NtLmGlobalOemComputerNameString );
if( NT_SUCCESS(Status) ) { Status = NtLmDuplicateString( &NtLmLocalOemPrimaryDomainNameString, &NtLmGlobalOemPrimaryDomainNameString ); }
}
RtlReleaseResource(&NtLmGlobalCritSect);
if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: NtLmDuplicateUnicodeString (GlobalOemComputerName or GlobalOemPrimaryDomainName) returned %d\n", Status )); goto Cleanup; } }
//
// Allocate a Negotiate message
//
NegotiateMessageSize = sizeof(*NegotiateMessage) + NtLmLocalOemComputerNameString.Length + NtLmLocalOemPrimaryDomainNameString.Length;
if ((ContextReqFlags & ISC_REQ_ALLOCATE_MEMORY) == 0) { if ( NegotiateMessageSize > *OutputTokenSize ) { Status = SEC_E_BUFFER_TOO_SMALL; SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: OutputTokenSize is %d\n", *OutputTokenSize)); goto Cleanup; } }
NegotiateMessage = (PNEGOTIATE_MESSAGE) NtLmAllocateLsaHeap( NegotiateMessageSize );
if ( NegotiateMessage == NULL) { Status = STATUS_NO_MEMORY; SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: Error allocating NegotiateMessage.\n")); goto Cleanup; }
//
// If this is the first call,
// build a Negotiate message.
//
strcpy( (char *) NegotiateMessage->Signature, NTLMSSP_SIGNATURE ); NegotiateMessage->MessageType = NtLmNegotiate; NegotiateMessage->NegotiateFlags = Context->NegotiateFlags;
IF_DEBUG( REQUEST_TARGET ) { NegotiateMessage->NegotiateFlags |= NTLMSSP_REQUEST_TARGET; }
//
// Copy the DomainName and ComputerName into the negotiate message so
// the other side can determine if this is a call from the local system.
//
// Pass the names in the OEM character set since the character set
// hasn't been negotiated yet.
//
// Skip passing the workstation name if credentials were specified. This
// ensures the other side doesn't fall into the case that this is the
// local system. We wan't to ensure the new credentials are
// authenticated.
//
Where = (PCHAR)(NegotiateMessage+1);
if ( CheckForLocal ) {
SspContextCopyString( NegotiateMessage, &NegotiateMessage->OemWorkstationName, &NtLmLocalOemComputerNameString, &Where );
NegotiateMessage->NegotiateFlags |= NTLMSSP_NEGOTIATE_OEM_WORKSTATION_SUPPLIED;
//
// OEM_DOMAIN_SUPPLIED used to always be supplied - but the
// only case it is ever used is when NTLMSSP_NEGOTIATE_LOCAL_CALL
// is set.
//
SspContextCopyString( NegotiateMessage, &NegotiateMessage->OemDomainName, &NtLmLocalOemPrimaryDomainNameString, &Where );
NegotiateMessage->NegotiateFlags |= NTLMSSP_NEGOTIATE_OEM_DOMAIN_SUPPLIED;
}
if ((ContextReqFlags & ISC_REQ_ALLOCATE_MEMORY) == 0) { RtlCopyMemory( *OutputToken, NegotiateMessage, NegotiateMessageSize );
} else { *OutputToken = NegotiateMessage; NegotiateMessage = NULL; *ContextAttributes |= ISC_RET_ALLOCATED_MEMORY; }
*OutputTokenSize = NegotiateMessageSize;
}
//
// Save a reference to the credential in the context.
//
Context->Credential = Credential; Credential = NULL;
//
// Check for a caller requesting datagram security.
//
if ((ContextReqFlags & ISC_REQ_DATAGRAM) != 0) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_DATAGRAM; Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_NT_ONLY; Context->ContextFlags |= ISC_RET_DATAGRAM; *ContextAttributes |= ISC_RET_DATAGRAM;
// If datagram security is required, then we don't send back a token
*OutputTokenSize = 0;
//
// Generate a session key for this context if sign or seal was
// requested.
//
if ((Context->NegotiateFlags & (NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL)) != 0) {
Status = SspGenerateRandomBits( Context->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH );
if( !NT_SUCCESS( Status ) ) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: SspGenerateRandomBits failed\n")); goto Cleanup; } } RtlCopyMemory( SessionKey, Context->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH );
//
// Unless client wants to force its use,
// Turn off strong crypt, because we can't negotiate it.
//
if (!NtLmGlobalDatagramUse128BitEncryption) { Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_128; }
//
// likewise for 56bit. note that package init handles turning
// off 56bit if 128bit is configured for datagram.
//
if(!NtLmGlobalDatagramUse56BitEncryption) { Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_56; }
//
// Unless client wants to require NTLM2, can't use its
// message processing features because we start using
// MD5 sigs, full duplex mode, and datagram rekey before
// we know if the server supports NTLM2.
//
if (!NtLmGlobalRequireNtlm2) { Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_NTLM2; }
//
// done fiddling with the negotiate flags, output them.
//
*NegotiateFlags = Context->NegotiateFlags;
//
// send back the negotiate flags to control signing and sealing
//
*NegotiateFlags |= NTLMSSP_APP_SEQ;
}
if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH ) { Status = SspGenerateRandomBits( Context->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH );
if( !NT_SUCCESS( Status ) ) { SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: SspGenerateRandomBits failed\n")); goto Cleanup; }
RtlCopyMemory( SessionKey, Context->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH ); }
//
// Return output parameters to the caller.
//
*ExpirationTime = SspContextGetTimeStamp( Context, TRUE );
Status = SEC_I_CONTINUE_NEEDED; Context->State = NegotiateSentState;
SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleFirstCall: NegotiateFlags = %lx\n", Context->NegotiateFlags));
//
// Check that caller asked for minimum security required.
//
if (!SsprCheckMinimumSecurity( Context->NegotiateFlags, NtLmGlobalMinimumClientSecurity)) {
Status = SEC_E_UNSUPPORTED_FUNCTION;
SspPrint(( SSP_CRITICAL, "SsprHandleFirstCall: " "Caller didn't request minimum security requirements (caller=0x%lx wanted=0x%lx).\n", Context->NegotiateFlags, NtLmGlobalMinimumClientSecurity )); goto Cleanup; }
//
// Free and locally used resources.
//
Cleanup:
if ( Context != NULL ) {
//
// If we failed,
// deallocate the context we allocated above.
//
// Delinking is a side effect of referencing, so do that.
//
if ( !NT_SUCCESS(Status) ) {
PSSP_CONTEXT LocalContext; SspContextReferenceContext( *ContextHandle, TRUE, &LocalContext );
ASSERT( LocalContext != NULL ); if ( LocalContext != NULL ) { SspContextDereferenceContext( LocalContext ); } }
// Always dereference it.
SspContextDereferenceContext( Context ); }
if ( NegotiateMessage != NULL ) { (VOID) NtLmFreeLsaHeap( NegotiateMessage ); }
if ( Credential != NULL ) { SspCredentialDereferenceCredential( Credential ); }
if ( NtLmLocalOemComputerNameString.Buffer != NULL ) { (VOID) NtLmFreePrivateHeap( NtLmLocalOemComputerNameString.Buffer ); }
if ( NtLmLocalOemPrimaryDomainNameString.Buffer != NULL ) { (VOID) NtLmFreePrivateHeap( NtLmLocalOemPrimaryDomainNameString.Buffer ); }
SspPrint(( SSP_API_MORE, "Leaving SsprHandleFirstCall: 0x%lx\n", Status )); return Status;
UNREFERENCED_PARAMETER( InputToken ); UNREFERENCED_PARAMETER( InputTokenSize );
}
�NTSTATUSSsprHandleChallengeMessage( IN LSA_SEC_HANDLE CredentialHandle, IN OUT PLSA_SEC_HANDLE ContextHandle, IN ULONG ContextReqFlags, IN ULONG InputTokenSize, IN PVOID InputToken, IN ULONG SecondInputTokenSize, IN PVOID SecondInputToken, IN PUNICODE_STRING TargetServerName, IN OUT PULONG OutputTokenSize, OUT PVOID *OutputToken, IN OUT PULONG SecondOutputTokenSize, OUT PVOID *SecondOutputToken, OUT PULONG ContextAttributes, OUT PTimeStamp ExpirationTime, OUT PUCHAR SessionKey, OUT PULONG NegotiateFlags )
/*++
Routine Description:
Handle the Challenge message part of InitializeSecurityContext.
Arguments:
DomainName,UserName,Password - Passed in credentials to be used for this context.
DomainNameSize,userNameSize,PasswordSize - length in characters of the credentials to be used for this context.
SessionKey - Session key to use for this context
NegotiateFlags - Flags negotiated for this context
TargetServerName - Target server name, used by CredMgr to associates NT4 servers with domains
All other arguments same as for InitializeSecurityContext
Return Value:
STATUS_SUCCESS - Message handled SEC_I_CONTINUE_NEEDED -- Caller should call again later
SEC_E_INVALID_TOKEN -- Token improperly formatted SEC_E_INVALID_HANDLE -- Credential/Context Handle is invalid SEC_E_BUFFER_TOO_SMALL -- Buffer for output token isn't big enough SEC_E_NO_CREDENTIALS -- There are no credentials for this client SEC_E_INSUFFICIENT_MEMORY -- Not enough memory
--*/
{ SECURITY_STATUS SecStatus = STATUS_SUCCESS; PSSP_CONTEXT Context = NULL; PCHALLENGE_MESSAGE ChallengeMessage = NULL; PNTLM_CHALLENGE_MESSAGE NtLmChallengeMessage = NULL; PAUTHENTICATE_MESSAGE AuthenticateMessage = NULL; PNTLM_INITIALIZE_RESPONSE NtLmInitializeResponse = NULL; PMSV1_0_GETCHALLENRESP_RESPONSE ChallengeResponseMessage = NULL; STRING UserName = {0}; STRING DomainName = {0}; STRING Workstation = {0}; STRING LmChallengeResponse = {0}; STRING NtChallengeResponse = {0}; STRING DatagramSessionKey = {0}; BOOLEAN DoUnicode = TRUE;
NTSTATUS Status = STATUS_SUCCESS; NTSTATUS ProtocolStatus;
MSV1_0_GETCHALLENRESP_REQUEST TempChallengeResponse; PMSV1_0_GETCHALLENRESP_REQUEST GetChallengeResponse; ULONG GetChallengeResponseSize;
UNICODE_STRING RevealedPassword = {0};
ULONG ChallengeResponseSize; ULONG AuthenticateMessageSize; PCHAR Where; UCHAR LocalSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH]; UCHAR DatagramKey[MSV1_0_USER_SESSION_KEY_LENGTH]; PLUID ClientLogonId = NULL; SECURITY_IMPERSONATION_LEVEL ImpersonationLevel = SecurityImpersonation; BOOLEAN UseSuppliedCreds = FALSE; PSSP_CREDENTIAL Credential = NULL; BOOLEAN fCallFromRedir = FALSE; BOOLEAN fShareLevel = FALSE; // is target down-level share based security (no username) ?
BOOLEAN fCredmanCredentials = FALSE; // used credman creds?
UNICODE_STRING TargetName = {0}; UNICODE_STRING DefectiveTargetName = {0}; // for broken servers.
LPWSTR szCredTargetDomain = NULL; LPWSTR szCredTargetServer = NULL; LPWSTR szCredTargetDnsDomain = NULL; LPWSTR szCredTargetDnsServer = NULL; LPWSTR szCredTargetDnsTree = NULL; LPWSTR szCredTargetPreDFSServer = NULL; LUID LogonIdNetworkService = NETWORKSERVICE_LUID;
PSSP_CONTEXT ServerContext = NULL; // server context referenced during loopback
HANDLE ClientTokenHandle = NULL; // access token associated with client
// which called AcquireCredentialsHandle (OUTBOUND)
SspPrint((SSP_API_MORE, "Entering SsprHandleChallengeMessage\n"));
//
// Initialization
//
*ContextAttributes = 0; *NegotiateFlags = 0;
GetChallengeResponse = &TempChallengeResponse;
if (*ContextHandle == NULL) { // This is possibly an old style redir call (for 4.0 and before)
// so, alloc the context and replace the creds if new ones exists
fCallFromRedir = TRUE;
SspPrint((SSP_API_MORE, "SsprHandleChallengeMessage: *ContextHandle is NULL (old-style RDR)\n"));
if ((ContextReqFlags & ISC_REQ_USE_SUPPLIED_CREDS) != 0) { UseSuppliedCreds = TRUE; }
// This is a superflous check since we alloc only if the caller
// has asked us too. This is to make sure that the redir always asks us to alloc
if (!(ContextReqFlags & ISC_REQ_ALLOCATE_MEMORY)) { SecStatus = STATUS_NOT_SUPPORTED; goto Cleanup; }
SecStatus = SspCredentialReferenceCredential( CredentialHandle, FALSE, &Credential );
if ( !NT_SUCCESS( SecStatus ) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: SspCredentialReferenceCredential returns %x.\n", SecStatus )); goto Cleanup; }
//
// Allocate a new context
//
Context = SspContextAllocateContext();
if (Context == NULL) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: SspContextAllocateContext returns NULL.\n" )); SecStatus = STATUS_NO_MEMORY; goto Cleanup; }
// We've just added a context, we don't nornally add and then
// reference it.
SspContextDereferenceContext( Context );
*ContextHandle = (LSA_SEC_HANDLE) Context;
//
// Capture the default credentials from the credential structure.
//
if ( Credential->DomainName.Buffer != NULL ) { Status = NtLmDuplicateUnicodeString( &Context->DomainName, &Credential->DomainName ); if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmDuplicateUnicodeString (DomainName) returned %d\n",Status)); SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY); goto Cleanup; } } if ( Credential->UserName.Buffer != NULL ) { Status = NtLmDuplicateUnicodeString( &Context->UserName, &Credential->UserName ); if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmDuplicateUnicodeString (UserName) returned %d\n", Status )); SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY); goto Cleanup; } }
SecStatus = SspCredentialGetPassword( Credential, &Context->Password );
if (!NT_SUCCESS(SecStatus)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: SspCredentialGetPassword returned %d\n", SecStatus )); goto Cleanup; }
// Assign the Credential
Context->Credential = Credential; Credential = NULL;
//
// fake it
//
Context->NegotiateFlags = NTLMSSP_NEGOTIATE_UNICODE | NTLMSSP_NEGOTIATE_OEM | NTLMSSP_REQUEST_TARGET | NTLMSSP_REQUEST_INIT_RESPONSE | ((NtLmGlobalLmProtocolSupported != 0) ? NTLMSSP_NEGOTIATE_NTLM2 : 0 ) | NTLMSSP_TARGET_TYPE_SERVER ;
*ExpirationTime = SspContextGetTimeStamp(Context, TRUE);
Context->State = NegotiateSentState;
// If creds are passed in by the RDR, then replace the ones in the context
if (UseSuppliedCreds) { if (SecondInputTokenSize < sizeof(NTLM_CHALLENGE_MESSAGE)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Invalid SecondInputTokensize.\n" )); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
NtLmChallengeMessage = (PNTLM_CHALLENGE_MESSAGE) NtLmAllocatePrivateHeap(SecondInputTokenSize); if (NtLmChallengeMessage == NULL) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Error while allocating NtLmChallengeMessage\n" )); SecStatus = STATUS_NO_MEMORY; goto Cleanup; }
RtlCopyMemory(NtLmChallengeMessage, SecondInputToken, SecondInputTokenSize);
//
// NULL session is only true if user, domain, and password are all
// empty strings in stead of NULLs
//
if (((NtLmChallengeMessage->Password.Length == 0) && (NtLmChallengeMessage->Password.Buffer != NULL)) && ((NtLmChallengeMessage->UserName.Length == 0) && (NtLmChallengeMessage->UserName.Buffer != NULL)) && ((NtLmChallengeMessage->DomainName.Length == 0) && (NtLmChallengeMessage->DomainName.Buffer != NULL))) { // This could only be a null session request
SspPrint(( SSP_WARNING, "SsprHandleChallengeMessage: null session NtLmChallengeMessage\n" ));
if (Context->Password.Buffer != NULL) { // free it first
NtLmFreePrivateHeap (Context->Password.Buffer); }
Context->Password.Buffer = (LPWSTR) NtLmAllocatePrivateHeap(sizeof(WCHAR)); if (Context->Password.Buffer == NULL) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmAllocatePrivateHeap(Password) returns NULL.\n")); SecStatus = SEC_E_INSUFFICIENT_MEMORY; goto Cleanup; } Context->Password.Length = 0; Context->Password.MaximumLength = 0; *(Context->Password.Buffer) = L'\0'; SspHidePassword(&Context->Password);
if (Context->UserName.Buffer != NULL) { // free it first
NtLmFreePrivateHeap (Context->UserName.Buffer); }
Context->UserName.Buffer = (LPWSTR) NtLmAllocatePrivateHeap(sizeof(WCHAR)); if (Context->UserName.Buffer == NULL) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmAllocatePrivateHeap(UserName) returns NULL.\n")); SecStatus = SEC_E_INSUFFICIENT_MEMORY; goto Cleanup; } Context->UserName.Length = 0; Context->UserName.MaximumLength = sizeof(WCHAR); *(Context->UserName.Buffer) = L'\0';
if (Context->DomainName.Buffer != NULL) { // free it first
NtLmFreePrivateHeap (Context->DomainName.Buffer); }
Context->DomainName.Buffer = (LPWSTR) NtLmAllocatePrivateHeap(sizeof(WCHAR)); if (Context->DomainName.Buffer == NULL) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmAllocatePrivateHeap(DomainName) returns NULL.\n")); SecStatus = SEC_E_INSUFFICIENT_MEMORY; goto Cleanup; } Context->DomainName.Length = 0; Context->DomainName.MaximumLength = sizeof(WCHAR); *(Context->DomainName.Buffer) = L'\0'; } else { ULONG_PTR BufferTail = (ULONG_PTR)NtLmChallengeMessage + SecondInputTokenSize; UNICODE_STRING AbsoluteString;
if (NtLmChallengeMessage->Password.Buffer != 0) { AbsoluteString.Buffer = (LPWSTR)((PUCHAR)NtLmChallengeMessage + NtLmChallengeMessage->Password.Buffer);
//
// verify buffer not out of range.
//
if( ( (ULONG_PTR)AbsoluteString.Buffer > BufferTail ) || ( (ULONG_PTR)((PUCHAR)AbsoluteString.Buffer + NtLmChallengeMessage->Password.Length) > BufferTail ) || ( (ULONG_PTR)AbsoluteString.Buffer < (ULONG_PTR)NtLmChallengeMessage ) ) { SecStatus = SEC_E_NO_CREDENTIALS; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Buffer overflow (Password).\n" )); goto Cleanup;
}
if (Context->Password.Buffer != NULL) { // free it first
NtLmFreePrivateHeap (Context->Password.Buffer); Context->Password.Buffer = NULL; }
AbsoluteString.Length = AbsoluteString.MaximumLength = NtLmChallengeMessage->Password.Length;
SecStatus = NtLmDuplicatePassword( &Context->Password, &AbsoluteString );
if (!NT_SUCCESS(SecStatus)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmDuplicatePassword returns 0x%lx.\n",SecStatus )); goto Cleanup; }
SspHidePassword(&Context->Password); }
if (NtLmChallengeMessage->UserName.Length != 0) { AbsoluteString.Buffer = (LPWSTR)((PUCHAR)NtLmChallengeMessage + NtLmChallengeMessage->UserName.Buffer);
//
// verify buffer not out of range.
//
if( ( (ULONG_PTR)AbsoluteString.Buffer > BufferTail ) || ( (ULONG_PTR)((PUCHAR)AbsoluteString.Buffer + NtLmChallengeMessage->UserName.Length) > BufferTail ) || ( (ULONG_PTR)AbsoluteString.Buffer < (ULONG_PTR)NtLmChallengeMessage ) ) { SecStatus = SEC_E_NO_CREDENTIALS; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Buffer overflow (UserName).\n" )); goto Cleanup;
}
if (Context->UserName.Buffer != NULL) { // free it first
NtLmFreePrivateHeap (Context->UserName.Buffer); }
AbsoluteString.Length = AbsoluteString.MaximumLength = NtLmChallengeMessage->UserName.Length; SecStatus = NtLmDuplicateUnicodeString(&Context->UserName, &AbsoluteString); if (!NT_SUCCESS(SecStatus)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmDuplicateUnicodeString(UserName) returns 0x%lx.\n",SecStatus )); goto Cleanup; } }
if (NtLmChallengeMessage->DomainName.Length != 0) { AbsoluteString.Buffer = (LPWSTR)((PUCHAR)NtLmChallengeMessage + NtLmChallengeMessage->DomainName.Buffer);
//
// verify buffer not out of range.
//
if( ( (ULONG_PTR)AbsoluteString.Buffer > BufferTail ) || ( (ULONG_PTR)((PUCHAR)AbsoluteString.Buffer + NtLmChallengeMessage->DomainName.Length) > BufferTail ) || ( (ULONG_PTR)AbsoluteString.Buffer < (ULONG_PTR)NtLmChallengeMessage ) ) { SecStatus = SEC_E_NO_CREDENTIALS; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Buffer overflow (DomainName).\n" )); goto Cleanup;
}
if (Context->DomainName.Buffer != NULL) { // free it first
NtLmFreePrivateHeap (Context->DomainName.Buffer); }
AbsoluteString.Length = AbsoluteString.MaximumLength = NtLmChallengeMessage->DomainName.Length; SecStatus = NtLmDuplicateUnicodeString(&Context->DomainName, &AbsoluteString); if (!NT_SUCCESS(SecStatus)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmDuplicateUnicodeString(DomainName) returns 0x%lx.\n",SecStatus )); goto Cleanup; } } }
if (NtLmChallengeMessage) { NtLmFreePrivateHeap (NtLmChallengeMessage); NtLmChallengeMessage = NULL; }
} // end of special casing if credentials are supplied in the first init call
} // end of special casing for the old style redir
//
// Find the currently existing context.
//
SecStatus = SspContextReferenceContext( *ContextHandle, FALSE, &Context );
if ( !NT_SUCCESS(SecStatus) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: invalid context handle.\n" )); goto Cleanup;
}
//
// bug 321061: passing Accept handle to Init causes AV.
//
if( Context->Credential == NULL ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: invalid context handle, missing credential.\n" ));
SecStatus = STATUS_INVALID_HANDLE; goto Cleanup; }
//
// If this is not reauthentication (or is datagram reauthentication)
// pull the context out of the associated credential.
//
if ((Context->State != AuthenticateSentState) || (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) != 0) { ClientLogonId = &Context->Credential->LogonId; ImpersonationLevel = Context->Credential->ImpersonationLevel; }
//
// process the TargetServerName to see if marshalled target info was
// passed in. This can happen if the caller passes in marshalled target
// info for each call to InitializeSecurityContext(), or, uses the downlevel
// RDR path which happened previously in this routine.
//
Status = CredpExtractMarshalledTargetInfo( TargetServerName, &Context->TargetInfo );
if (!NT_SUCCESS(Status)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: CredpExtractMarshalledTargetInfo returned %d\n", Status )); goto Cleanup; }
//
// If we have already sent the authenticate message, then this must be
// RPC calling Initialize a third time to re-authenticate a connection.
// This happens when a new interface is called over an existing
// connection. What we do here is build a NULL authenticate message
// that the server will recognize and also ignore.
//
//
// That being said, if we are doing datagram style authentication then
// the story is different. The server may have dropped this security
// context and then the client sent another packet over. The server
// will then be trying to restore the context, so we need to build
// another authenticate message.
//
if ( Context->State == AuthenticateSentState ) { AUTHENTICATE_MESSAGE NullMessage;
if (((Context->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) == NTLMSSP_NEGOTIATE_DATAGRAM) && (InputTokenSize != 0) && (InputToken != NULL) ) {
//
// we are doing a reauthentication for datagram, so let this
// through. We don't want the security.dll remapping this
// context.
//
*ContextAttributes |= SSP_RET_REAUTHENTICATION;
} else {
//
// To make sure this is the intended meaning of the call, check
// that the input token is NULL.
//
if ( (InputTokenSize != 0) || (InputToken != NULL) ) {
SecStatus = SEC_E_INVALID_TOKEN; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: (re-auth) invalid InputTokenSize.\n" )); goto Cleanup; }
if ( (*OutputTokenSize < sizeof(NullMessage)) && ((ContextReqFlags & ISC_REQ_ALLOCATE_MEMORY) == 0)) { SecStatus = SEC_E_BUFFER_TOO_SMALL; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: invalid OutputTokenSize.\n" )); } else { RtlZeroMemory( &NullMessage, sizeof(NullMessage) );
strcpy( (char *)NullMessage.Signature, NTLMSSP_SIGNATURE ); NullMessage.MessageType = NtLmAuthenticate; if ((ContextReqFlags & ISC_REQ_ALLOCATE_MEMORY) == 0) { RtlCopyMemory( *OutputToken, &NullMessage, sizeof(NullMessage)); } else { PAUTHENTICATE_MESSAGE NewNullMessage = (PAUTHENTICATE_MESSAGE) NtLmAllocateLsaHeap(sizeof(NullMessage)); if ( NewNullMessage == NULL) { SecStatus = STATUS_NO_MEMORY; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Error allocating NewNullMessage.\n" )); goto Cleanup; }
*OutputToken = NewNullMessage; NewNullMessage = NULL; *ContextAttributes |= ISC_RET_ALLOCATED_MEMORY; } *OutputTokenSize = sizeof(NullMessage); }
*ContextAttributes |= SSP_RET_REAUTHENTICATION; goto Cleanup;
}
} else if ( Context->State != NegotiateSentState ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "Context not in NegotiateSentState\n" )); SecStatus = SEC_E_OUT_OF_SEQUENCE; goto Cleanup; }
//
// We don't support any options.
// Complain about those that require we do something.
//
if ( (ContextReqFlags & ISC_REQ_PROMPT_FOR_CREDS) != 0 ){
SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: invalid ContextReqFlags 0x%lx.\n", ContextReqFlags )); SecStatus = SEC_E_INVALID_CONTEXT_REQ; goto Cleanup; }
//
// Ignore the Credential Handle.
//
// Since this is the second call,
// the credential is implied by the Context.
// We could double check that the Credential Handle is either NULL or
// correct. However, our implementation doesn't maintain a close
// association between the two (actually no association) so checking
// would require a lot of overhead.
//
UNREFERENCED_PARAMETER( CredentialHandle );
//
// Get the ChallengeMessage.
//
if ( InputTokenSize < sizeof(OLD_CHALLENGE_MESSAGE) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "ChallengeMessage size wrong %ld\n", InputTokenSize )); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
SecStatus = SspContextGetMessage( InputToken, InputTokenSize, NtLmChallenge, (PVOID *)&ChallengeMessage );
if ( !NT_SUCCESS(SecStatus) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "ChallengeMessage GetMessage returns 0x%lx\n", SecStatus )); goto Cleanup; }
//
// for down-level RDR, EXPORTED_CONTEXT is a hint that we are talking to
// share level target.
//
if( fCallFromRedir ) { if( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT ) { ChallengeMessage->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT); fShareLevel = TRUE;
SspPrint(( SSP_WARNING, "SsprHandleChallengeMessage: " "downlevel sharelevel security target\n")); } }
if( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM ) {
//
// take out any flags we didn't ask for -- self defense from bogus combinations
//
ChallengeMessage->NegotiateFlags &= ( Context->NegotiateFlags | NTLMSSP_NEGOTIATE_TARGET_INFO | NTLMSSP_TARGET_TYPE_SERVER | NTLMSSP_TARGET_TYPE_DOMAIN | NTLMSSP_NEGOTIATE_LOCAL_CALL ); }
//
// Determine if the caller wants OEM or UNICODE
//
if ( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_UNICODE ) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_UNICODE; Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_OEM; DoUnicode = TRUE; } else if ( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_OEM ){ Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_OEM; Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_UNICODE; DoUnicode = FALSE; } else { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "ChallengeMessage bad NegotiateFlags 0x%lx\n", ChallengeMessage->NegotiateFlags )); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Copy other interesting negotiate flags into the context
//
if( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_TARGET_INFO ) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_TARGET_INFO; } else { Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_TARGET_INFO); }
//
// if got NTLM2, or if LM_KEY specifically forbidden don't use LM_KEY
//
if ((ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) || (NtLmGlobalLmProtocolSupported == NoLm)) {
if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_LM_KEY ) { SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: " "Server support NTLM2 caused LM_KEY to be disabled.\n" )); }
ChallengeMessage->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_LM_KEY; Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_LM_KEY); }
//
// if we did not get NTLM2 remove it from context negotiate flags
//
if(!(ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2)){ if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2 ) { SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: " "Server didn't support NTLM2 and client did.\n" )); }
Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_NTLM2); }
if ((ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM) == 0) { if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM ) { SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: " "Server didn't support NTLM and client did.\n" )); }
Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_NTLM); }
if ((ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH) == 0) { if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH ) { SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: " "Server didn't support KEY_EXCH and client did.\n" )); }
Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_KEY_EXCH); }
if ((ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_LM_KEY) == 0) { if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_LM_KEY ) { SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: " "Server didn't support LM_KEY and client did.\n" )); }
Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_LM_KEY); }
//
// make sure KEY_EXCH is always set if DATAGRAM negotiated and we need a key
// this is for local internal use; its now safe because we've got the bits
// to go on the wire copied...
//
if ((Context->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) && (Context->NegotiateFlags & (NTLMSSP_NEGOTIATE_SIGN |NTLMSSP_NEGOTIATE_SEAL))) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_KEY_EXCH; }
//
// allow negotiate of certain options such as sign/seal when server
// asked for it, but client didn't.
//
#if 0
////
if( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL ) { if( (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) == 0 ) { SspPrint(( SSP_SESSION_KEYS, "SsprHandleChallengeMessage: client didn't request SEAL but server did, adding SEAL.\n")); }
Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SEAL; }
if( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN ) { if( (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) == 0 ) { SspPrint(( SSP_SESSION_KEYS, "SsprHandleChallengeMessage: client didn't request SIGN but server did, adding SIGN.\n")); }
Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SIGN; }////
#endif
//
// if server didn't support certain crypto strengths, insure they
// are disabled.
//
if( (ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_56) == 0 ) { if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_56 ) { SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: Client supported 56, but server didn't.\n")); }
Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_56); }
if( (ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_128) == 0 ) {
if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_128 ) { SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: Client supported 128, but server didn't.\n")); }
Context->NegotiateFlags &= ~(NTLMSSP_NEGOTIATE_128); }
//
// Check that server gave minimum security required.
// not done for legacy down-level case, as, NegotiateFlags are
// constructed from incomplete information.
//
if( !fCallFromRedir ) { if (!SsprCheckMinimumSecurity( Context->NegotiateFlags, NtLmGlobalMinimumClientSecurity)) {
SecStatus = SEC_E_UNSUPPORTED_FUNCTION; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "ChallengeMessage didn't support minimum security requirements.\n" )); goto Cleanup; } }
if (ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN ) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_ALWAYS_SIGN; } else { Context->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_ALWAYS_SIGN; }
//
// Determine that the caller negotiated to NTLM or nothing, but not
// NetWare.
//
if ( (ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_NETWARE) && ((ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM) == 0) && ((ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) == 0) ) { SecStatus = STATUS_NOT_SUPPORTED; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "ChallengeMessage asked for Netware only.\n" )); goto Cleanup; }
//
// Check if we negotiated for identify level
//
if (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_IDENTIFY) { if (ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_IDENTIFY) {
Context->ContextFlags |= ISC_REQ_IDENTIFY; *ContextAttributes |= ISC_RET_IDENTIFY; } else { SecStatus = STATUS_NOT_SUPPORTED; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "ChallengeMessage bad NegotiateFlags 0x%lx\n", ChallengeMessage->NegotiateFlags )); goto Cleanup; }
}
//
// If the server is running on this same machine,
// just duplicate our caller's token and use it.
//
while ( ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_LOCAL_CALL ) { ULONG_PTR ServerContextHandle; static const UCHAR FixedSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH] = { 'S', 'y', 's', 't', 'e', 'm', 'L', 'i', 'b', 'r', 'a', 'r', 'y', 'D', 'T', 'C' };
SspPrint(( SSP_MISC, "SsprHandleChallengeMessage: Local Call.\n"));
//
// Require the new challenge message if we are going to access the
// server context handle
//
if ( InputTokenSize < sizeof(CHALLENGE_MESSAGE) ) { SecStatus = SEC_E_INVALID_TOKEN; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: invalid InputTokenSize.\n")); goto Cleanup; }
//
// Open the server's context here within this process.
//
ServerContextHandle = (ULONG_PTR)(ChallengeMessage->ServerContextHandle);
SspContextReferenceContext( ServerContextHandle, FALSE, &ServerContext );
if ( ServerContext == NULL ) { //
// This means the server has lied about this being a local call or
// the server process has exitted.
// this can happen if the client and server have not had netbios
// machine names set, so, allow this and continue processing
// as if this were not loopback.
//
SspPrint(( SSP_WARNING, "SsprHandleChallengeMessage: " "ChallengeMessage bad ServerContextHandle 0x%p\n", ChallengeMessage->ServerContextHandle));
ChallengeMessage->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_LOCAL_CALL; break; }
if(((ServerContext->NegotiateFlags & NTLMSSP_NEGOTIATE_LOCAL_CALL) == 0) || (ServerContext->State != ChallengeSentState) ) { SspPrint(( SSP_WARNING, "SsprHandleChallengeMessage: " "ChallengeMessage claimed ServerContextHandle in bad state 0x%p\n", ChallengeMessage->ServerContextHandle));
ChallengeMessage->NegotiateFlags &= ~NTLMSSP_NEGOTIATE_LOCAL_CALL; break; }
Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_LOCAL_CALL;
//
// Local loopback for network servcice
//
if ( (Context->Credential->MutableCredFlags & SSP_CREDENTIAL_FLAG_WAS_NETWORK_SERVICE) ) { SspPrint((SSP_WARNING, "SsprHandleChallengeMessage using networkservice in local loopback\n"));
ClientLogonId = &LogonIdNetworkService; }
//
// open the token associated with the caller at the time of the
// AcquireCredentialsHandle() call.
//
SecStatus = LsaFunctions->OpenTokenByLogonId( ClientLogonId, &ClientTokenHandle );
if(!NT_SUCCESS(SecStatus)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "Could not open client token 0x%lx\n", SecStatus )); goto Cleanup; }
if( ImpersonationLevel < SecurityImpersonation ) { SspPrint(( SSP_WARNING, "Reducing impersonation level %lu to %lu\n", SecurityImpersonation, ImpersonationLevel)); }
if ((Context->NegotiateFlags & NTLMSSP_NEGOTIATE_IDENTIFY) != 0) { ImpersonationLevel = min(SecurityIdentification, ImpersonationLevel); }
SecStatus = SspDuplicateToken( ClientTokenHandle, ImpersonationLevel, &ServerContext->TokenHandle );
if (!NT_SUCCESS(SecStatus)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "Could not duplicate client token 0x%lx\n", SecStatus )); goto Cleanup; }
//
// enable all privileges in the duplicated token, to be consistent
// with what a network logon normally looks like
// (all privileges held are enabled by default).
//
if(!SspEnableAllPrivilegesToken(ServerContext->TokenHandle)) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "Could not enable all privileges for loopback.\n")); }
//
// give local call a hard-coded session key so calls into RDR
// to fetch a session key succeed (eg: RtlGetUserSessionKeyClient)
//
RtlCopyMemory(Context->SessionKey, FixedSessionKey, MSV1_0_USER_SESSION_KEY_LENGTH);
//
// Don't pass any credentials in the authenticate message.
//
RtlInitString( &DomainName, NULL ); RtlInitString( &UserName, NULL ); RtlInitString( &Workstation, NULL ); RtlInitString( &NtChallengeResponse, NULL ); RtlInitString( &LmChallengeResponse, NULL ); RtlInitString( &DatagramSessionKey, NULL );
break; }
//
// If the server is running on a diffent machine,
// determine the caller's DomainName, UserName and ChallengeResponse
// to pass back in the AuthenicateMessage.
//
if ( (ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_LOCAL_CALL) == 0 ) { //
// Build the GetChallengeResponse message to pass to the LSA.
//
PCHAR MarshalPtr; // marshalling pointer
ULONG MarshalBytes; UNICODE_STRING TargetInfo;
CREDENTIAL_TARGET_INFORMATIONW CredTargetInfo;
//
// insure all fields NULL.
//
ZeroMemory( &CredTargetInfo, sizeof(CredTargetInfo) );
ZeroMemory( GetChallengeResponse, sizeof(*GetChallengeResponse) ); GetChallengeResponseSize = sizeof(*GetChallengeResponse); GetChallengeResponse->MessageType = MsV1_0Lm20GetChallengeResponse; GetChallengeResponse->ParameterControl = 0;
if( Context->Credential ) { PUNICODE_STRING TmpDomainName = &(Context->Credential->DomainName); PUNICODE_STRING TmpUserName = &(Context->Credential->UserName); PUNICODE_STRING TmpPassword = &(Context->Credential->Password);
if( (TmpDomainName->Buffer != NULL) || (TmpUserName->Buffer != NULL) || (TmpPassword->Buffer != NULL) ) { UseSuppliedCreds = TRUE; } }
//
// if caller specifically asked for non nt session key, give it to them
//
if ( (ChallengeMessage->NegotiateFlags & NTLMSSP_REQUEST_NON_NT_SESSION_KEY ) || (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_LM_KEY)) { GetChallengeResponse->ParameterControl |= RETURN_NON_NT_USER_SESSION_KEY; }
GetChallengeResponse->ParameterControl |= GCR_NTLM3_PARMS;
//
// if TargetInfo present, use it, otherwise construct it from target name
//
if (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_TARGET_INFO) { if ( InputTokenSize < sizeof(CHALLENGE_MESSAGE) ) { SspPrint(( SSP_CRITICAL, "SspHandleChallengeMessage: " "ChallengeMessage size wrong when target info flag on %ld\n", InputTokenSize )); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// validate and relocate the target info
//
if (!SspConvertRelativeToAbsolute ( ChallengeMessage, InputTokenSize, &ChallengeMessage->TargetInfo, (PSTRING)&TargetInfo, DoUnicode, TRUE // NULL target info OK
)) { SspPrint(( SSP_CRITICAL, "SspHandleChallengeMessage: " "ChallengeMessage.TargetInfo size wrong %ld\n", InputTokenSize )); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Calculate mashal data size for the target info case
//
if( UseSuppliedCreds ) { MarshalBytes = TargetInfo.Length + Context->DomainName.Length + Context->UserName.Length + Context->Password.Length + (4*sizeof(WCHAR)); } else { MarshalBytes = TargetInfo.Length + (DNLEN * sizeof(WCHAR)) + (UNLEN * sizeof(WCHAR)) + (PWLEN * sizeof(WCHAR)) + (4*sizeof(WCHAR)); }
//
// Sets a "reasonable" upper limit on the token size
// to avoid unbounded stack allocations. The limit is
// NTLMSSP_MAX_MESSAGE_SIZE*4 for historical reasons.
//
if((NTLMSSP_MAX_MESSAGE_SIZE*4)<MarshalBytes){ SspPrint(( SSP_CRITICAL, "SspHandleChallengeMessage: " "ChallengeMessage.TargetInfo size wrong %ld\n", InputTokenSize )); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Allocate buffer for GetChallengeResponse + marshalled data
//
SafeAllocaAllocate(GetChallengeResponse, MarshalBytes + sizeof(*GetChallengeResponse));
if(!GetChallengeResponse){ SecStatus = STATUS_NO_MEMORY; goto Cleanup; }
//
// Copy in the MSV1_0_GETCHALLENRESP_REQUEST structure so far
//
*GetChallengeResponse = TempChallengeResponse;
MarshalPtr = (PCHAR)(GetChallengeResponse+1);
// TargetInfo now contains the server's netbios domain name
//
// MSV needs the server name to be 'in' the passed in buffer.
//
SspContextCopyStringAbsolute( GetChallengeResponse, (PSTRING)&GetChallengeResponse->ServerName, (PSTRING)&TargetInfo, &MarshalPtr );
GetChallengeResponseSize += GetChallengeResponse->ServerName.Length;
//
// tell GCR that its an AV list.
//
GetChallengeResponse->ParameterControl |= GCR_TARGET_INFO;
// get various target names
if( !UseSuppliedCreds ) {
ULONG AvFlags = 0;
//
// Uplevel -- get the info from the comprehensive TARGET_INFO
//
//
Status = MsvpAvlToString( &TargetInfo, MsvAvNbDomainName, &szCredTargetDomain ); if(!NT_SUCCESS(Status)) { SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY ); goto Cleanup; }
Status = MsvpAvlToString( &TargetInfo, MsvAvNbComputerName, &szCredTargetServer ); if(!NT_SUCCESS(Status)) { SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY ); goto Cleanup; }
Status = MsvpAvlToString( &TargetInfo, MsvAvDnsDomainName, &szCredTargetDnsDomain ); if(!NT_SUCCESS(Status)) { SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY ); goto Cleanup; }
Status = MsvpAvlToString( &TargetInfo, MsvAvDnsComputerName, &szCredTargetDnsServer ); if(!NT_SUCCESS(Status)) { SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY ); goto Cleanup; }
Status = MsvpAvlToString( &TargetInfo, MsvAvDnsTreeName, &szCredTargetDnsTree ); if(!NT_SUCCESS(Status)) { SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY ); goto Cleanup; }
if ( TargetServerName && TargetServerName->Length ) { //
// check TargetServerName against szTargetServer. If they don't match, we have a DFS share.
// Add Pre-DFS ServerName
//
LPWSTR szTargetServerName = TargetServerName->Buffer; DWORD cchTarget = TargetServerName->Length / sizeof(WCHAR);
DWORD IndexSlash;
for (IndexSlash = 0 ; IndexSlash < cchTarget; IndexSlash++) { if(TargetServerName->Buffer[IndexSlash] == L'/') { cchTarget -= IndexSlash; szTargetServerName = &TargetServerName->Buffer[ IndexSlash+1 ]; break; } }
szCredTargetPreDFSServer = (LPWSTR)NtLmAllocatePrivateHeap( (cchTarget+1) * sizeof(WCHAR) ); if( szCredTargetPreDFSServer == NULL ) { SecStatus = SEC_E_INSUFFICIENT_MEMORY; goto Cleanup; }
CopyMemory( szCredTargetPreDFSServer, szTargetServerName, cchTarget*sizeof(WCHAR) ); szCredTargetPreDFSServer[ cchTarget ] = L'\0';
CredTargetInfo.TargetName = szCredTargetPreDFSServer; }
//
// see if server enabled the funky guest bit (tm)
//
Status = MsvpAvlToFlag( &TargetInfo, MsvAvFlags, &AvFlags ); if( Status == STATUS_SUCCESS ) { if( AvFlags & MSV1_0_AV_FLAG_FORCE_GUEST ) { CredTargetInfo.Flags |= CRED_TI_ONLY_PASSWORD_REQUIRED; } } }
} else {
BOOLEAN DefectiveTarget = FALSE;
// downlevel - first call may have been handled by redir
//
// validate and relocate the target name
//
if (!SspConvertRelativeToAbsolute ( ChallengeMessage, InputTokenSize, &ChallengeMessage->TargetName, (PSTRING)&TargetName, DoUnicode, TRUE // NULL targetname OK
)) { SspPrint(( SSP_CRITICAL, "SspHandleChallengeMessage: " "ChallengeMessage.TargetName size wrong %ld\n", InputTokenSize )); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// certain flavors of Unix servers set UNICODE and OEM flags,
// but supply an OEM buffer. Try to resolve that here.
//
if ( (DoUnicode) && (ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_OEM) ) { if( IsTextUnicode( TargetName.Buffer, TargetName.Length, NULL ) == 0 ) { DefectiveTarget = TRUE; } }
//
// convert TargetName to Unicode if needed
//
if ( !DoUnicode || DefectiveTarget ) { UNICODE_STRING TempString;
Status = RtlOemStringToUnicodeString( &TempString, (PSTRING)&TargetName, TRUE);
if ( !NT_SUCCESS(Status) ) { SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY ); goto Cleanup; }
TargetName = TempString;
if( DefectiveTarget ) { //
// save it so we can free it later.
//
DefectiveTargetName = TargetName; } }
if ( !UseSuppliedCreds ) {
// ChallengeMessage->TargetName will be the server's netbios domain name
if ( TargetName.Buffer && TargetName.Length ) { LPWSTR szTmpTargetName;
szTmpTargetName = (PWSTR)NtLmAllocatePrivateHeap( TargetName.Length + sizeof(WCHAR) ); if( szTmpTargetName == NULL ) { SecStatus = SEC_E_INSUFFICIENT_MEMORY; goto Cleanup; }
RtlCopyMemory( szTmpTargetName, TargetName.Buffer, TargetName.Length ); szTmpTargetName[ TargetName.Length/sizeof(WCHAR) ] = L'\0';
if( ChallengeMessage->NegotiateFlags & NTLMSSP_TARGET_TYPE_SERVER ) { szCredTargetServer = szTmpTargetName; } else if( ChallengeMessage->NegotiateFlags & NTLMSSP_TARGET_TYPE_DOMAIN ) { szCredTargetDomain = szTmpTargetName; } // TODO: what if TARGET_TYPE not specified, or TARGET_TYPE_SHARE ?
}
if ( TargetServerName && TargetServerName->Length ) { //
// check TargetServerName against szTargetServer. If they don't match, we have a DFS share.
// Add Pre-DFS ServerName
//
LPWSTR szTargetServerName = TargetServerName->Buffer; DWORD cchTarget = TargetServerName->Length / sizeof(WCHAR);
DWORD IndexSlash;
for (IndexSlash = 0 ; IndexSlash < cchTarget; IndexSlash++) { if(TargetServerName->Buffer[IndexSlash] == L'/') { cchTarget -= IndexSlash; szTargetServerName = &TargetServerName->Buffer[ IndexSlash+1 ]; break; } }
szCredTargetPreDFSServer = (LPWSTR)NtLmAllocatePrivateHeap( (cchTarget+1) * sizeof(WCHAR) ); if( szCredTargetPreDFSServer == NULL ) { SecStatus = SEC_E_INSUFFICIENT_MEMORY; goto Cleanup; }
CopyMemory( szCredTargetPreDFSServer, szTargetServerName, cchTarget*sizeof(WCHAR) ); szCredTargetPreDFSServer[ cchTarget ] = L'\0';
CredTargetInfo.TargetName = szCredTargetPreDFSServer; }
if( fShareLevel ) { CredTargetInfo.Flags |= CRED_TI_ONLY_PASSWORD_REQUIRED; } }
//
// Calculate mashal data size for the target name case
//
if( UseSuppliedCreds ) { MarshalBytes = TargetName.Length + Context->DomainName.Length + Context->UserName.Length + Context->Password.Length + (4*sizeof(WCHAR)); } else { MarshalBytes = TargetName.Length + (DNLEN * sizeof(WCHAR)) + (UNLEN * sizeof(WCHAR)) + (PWLEN * sizeof(WCHAR)) + (4*sizeof(WCHAR)); }
//
// Set a "reasonable" upper limit on the token size
// to avoid unbounded stack allocations. The limit is
// NTLMSSP_MAX_MESSAGE_SIZE*4 for historical reasons.
//
if((NTLMSSP_MAX_MESSAGE_SIZE*4)<MarshalBytes){ SspPrint(( SSP_CRITICAL, "SspHandleChallengeMessage: " "ChallengeMessage size wrong \n")); SecStatus = SEC_E_INVALID_TOKEN; goto Cleanup; }
//
// Allocate buffer for GetChallengeResponse + marshalled data
//
SafeAllocaAllocate(GetChallengeResponse, MarshalBytes + sizeof(*GetChallengeResponse));
if(!GetChallengeResponse){ SecStatus = STATUS_NO_MEMORY; goto Cleanup; }
//
// Copy in the MSV1_0_GETCHALLENRESP_REQUEST structure so far
//
*GetChallengeResponse = TempChallengeResponse;
MarshalPtr = (PCHAR)(GetChallengeResponse+1);
//
// MSV needs the server name to be 'in' the passed in buffer.
//
SspContextCopyStringAbsolute( GetChallengeResponse, (PSTRING)&GetChallengeResponse->ServerName, (PSTRING)&TargetName, &MarshalPtr );
GetChallengeResponseSize += GetChallengeResponse->ServerName.Length;
}
if ( !UseSuppliedCreds ) { ULONG CredTypes = CRED_TYPE_DOMAIN_PASSWORD;
CredTargetInfo.NetbiosDomainName = szCredTargetDomain; CredTargetInfo.NetbiosServerName = szCredTargetServer; CredTargetInfo.DnsDomainName = szCredTargetDnsDomain; CredTargetInfo.DnsServerName = szCredTargetDnsServer; CredTargetInfo.DnsTreeName = szCredTargetDnsTree; CredTargetInfo.PackageName = NTLMSP_NAME; CredTargetInfo.CredTypeCount = 1; CredTargetInfo.CredTypes = &CredTypes;
//
// if marshalled TargetInfo was supplied, we prefer those fields.
//
if( Context->TargetInfo ) { CredTargetInfo.TargetName = Context->TargetInfo->TargetName; CredTargetInfo.NetbiosServerName = Context->TargetInfo->NetbiosServerName; CredTargetInfo.DnsServerName = Context->TargetInfo->DnsServerName; CredTargetInfo.NetbiosDomainName = Context->TargetInfo->NetbiosDomainName; CredTargetInfo.DnsDomainName = Context->TargetInfo->DnsDomainName; CredTargetInfo.DnsTreeName = Context->TargetInfo->DnsTreeName;
CredTargetInfo.Flags |= Context->TargetInfo->Flags; }
SecStatus = CopyCredManCredentials ( ClientLogonId, &CredTargetInfo, Context, fShareLevel );
if( NT_SUCCESS(SecStatus) ) { fCredmanCredentials = TRUE; }
if( SecStatus == STATUS_NOT_FOUND ) { SecStatus = STATUS_SUCCESS; }
if( !NT_SUCCESS(SecStatus) ) { goto Cleanup; }
//
// for kernel callers, stow away a copy of the marshalled target info.
//
if( Context->KernelClient ) { CredMarshalTargetInfo( &CredTargetInfo, (PUSHORT*)&(Context->pbMarshalledTargetInfo), &Context->cbMarshalledTargetInfo ); } }
SspContextCopyStringAbsolute( GetChallengeResponse, (PSTRING)&GetChallengeResponse->LogonDomainName, (PSTRING)&Context->DomainName, &MarshalPtr );
GetChallengeResponseSize += GetChallengeResponse->LogonDomainName.Length;
SspContextCopyStringAbsolute( GetChallengeResponse, (PSTRING)&GetChallengeResponse->UserName, (PSTRING)&Context->UserName, &MarshalPtr );
GetChallengeResponseSize += GetChallengeResponse->UserName.Length;
//
// Check for null session. This is the case if the caller supplies
// an empty username, domainname, and password.
//
//
// duplicate the hidden password string, then reveal it into
// new buffer. This avoids thread race conditions during hide/reveal
// and also allows us to avoid re-hiding the material.
// TODO: add flag that indicates to LSA that provided password is encrypted.
//
SecStatus = NtLmDuplicatePassword( &RevealedPassword, &Context->Password ); if(!NT_SUCCESS( SecStatus ) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmDuplicatePassword returned %d\n",Status)); goto Cleanup; }
SspRevealPassword(&RevealedPassword);
if (((Context->ContextFlags & ISC_RET_NULL_SESSION) != 0) || (((Context->DomainName.Length == 0) && (Context->DomainName.Buffer != NULL)) && ((Context->UserName.Length == 0) && (Context->UserName.Buffer != NULL)) && ((Context->Password.Length == 0) && (Context->Password.Buffer != NULL)))) {
#define NULL_SESSION_REQUESTED RETURN_RESERVED_PARAMETER
SspPrint(( SSP_WARNING, "SsprHandleChallengeMessage: null session context\n" ));
GetChallengeResponse->ParameterControl |= NULL_SESSION_REQUESTED | USE_PRIMARY_PASSWORD;
} else {
//
// We aren't doing a null session intentionally. MSV may choose
// to do a null session if we have no credentials available.
//
if ( Context->DomainName.Buffer == NULL ) { BOOLEAN FoundAt = FALSE;
//
// if it's a UPN, don't fill in the domain field.
//
if( Context->UserName.Buffer != NULL ) { ULONG i;
for(i = 0 ; i < (Context->UserName.Length / sizeof(WCHAR)) ; i++) { if( Context->UserName.Buffer[i] == '@' ) { FoundAt = TRUE; break; } } }
if( !FoundAt ) { GetChallengeResponse->ParameterControl |= RETURN_PRIMARY_LOGON_DOMAINNAME; } }
if ( Context->UserName.Buffer == NULL ) { GetChallengeResponse->ParameterControl |= RETURN_PRIMARY_USERNAME; }
//
// The password may be a zero length password
//
GetChallengeResponse->Password = RevealedPassword; if ( Context->Password.Buffer == NULL ) {
GetChallengeResponse->ParameterControl |= USE_PRIMARY_PASSWORD;
} else { //
// MSV needs the password to be 'in' the passed in buffer.
//
RtlCopyMemory(MarshalPtr, GetChallengeResponse->Password.Buffer, GetChallengeResponse->Password.Length);
GetChallengeResponse->Password.Buffer = (LPWSTR)(MarshalPtr); GetChallengeResponseSize += GetChallengeResponse->Password.Length + sizeof(WCHAR);
} }
//
// scrub the cleartext password now to avoid pagefile exposure
// during lengthy processing.
//
if( RevealedPassword.Buffer != NULL ) { ZeroMemory( RevealedPassword.Buffer, RevealedPassword.Length ); NtLmFreePrivateHeap( RevealedPassword.Buffer ); RevealedPassword.Buffer = NULL; }
GetChallengeResponse->LogonId = *ClientLogonId;
RtlCopyMemory( &GetChallengeResponse->ChallengeToClient, ChallengeMessage->Challenge, MSV1_0_CHALLENGE_LENGTH );
//
// if NTLM2 negotiated, then ask MSV1_0 to mix my challenge with the server's...
//
if (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) { GetChallengeResponse->ParameterControl |= GENERATE_CLIENT_CHALLENGE; } else {
//
// if it's share level, and:
// 1. User only supplied a password, or
// 2. Credman returned the creds
// allow downgrade to NTLMv1 from NTLMv2.
//
if( fShareLevel ) { if( (GetChallengeResponse->UserName.Length == 0) && (GetChallengeResponse->LogonDomainName.Length == 0) && (GetChallengeResponse->Password.Buffer != NULL) ) { GetChallengeResponse->ParameterControl |= GCR_ALLOW_NTLM; }
if( fCredmanCredentials ) { GetChallengeResponse->ParameterControl |= GCR_ALLOW_NTLM; } } }
//
// Get the DomainName, UserName, and ChallengeResponse from the MSV
//
Status = LsaApCallPackage( (PLSA_CLIENT_REQUEST)(-1), GetChallengeResponse, GetChallengeResponse, GetChallengeResponseSize, (PVOID *)&ChallengeResponseMessage, &ChallengeResponseSize, &ProtocolStatus );
if ( !NT_SUCCESS(Status) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: " "ChallengeMessage LsaCall to get ChallengeResponse returns 0x%lx\n", Status )); SecStatus = SspNtStatusToSecStatus( Status, SEC_E_NO_CREDENTIALS); goto Cleanup; }
if ( !NT_SUCCESS(ProtocolStatus) ) { Status = ProtocolStatus; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: ChallengeMessage LsaCall " "to get ChallengeResponse returns ProtocolStatus 0x%lx\n", Status )); SecStatus = SspNtStatusToSecStatus( Status, SEC_E_NO_CREDENTIALS); goto Cleanup; }
//
// Check to see if we are doing a null session
//
if ((ChallengeResponseMessage->CaseSensitiveChallengeResponse.Length == 0) && (ChallengeResponseMessage->CaseInsensitiveChallengeResponse.Length == 1)) {
SspPrint(( SSP_WARNING, "SsprHandleChallengeMessage: null session\n" ));
*ContextAttributes |= ISC_RET_NULL_SESSION; Context->ContextFlags |= ISC_RET_NULL_SESSION; Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_NULL_SESSION; } else {
//
// Normalize things by copying the default domain name and user name
// into the ChallengeResponseMessage structure.
//
if ( Context->DomainName.Buffer != NULL ) { ChallengeResponseMessage->LogonDomainName = Context->DomainName; } if ( Context->UserName.Buffer != NULL ) { ChallengeResponseMessage->UserName = Context->UserName; } }
//
// Convert the domainname/user name to the right character set.
//
if ( DoUnicode ) { DomainName = *(PSTRING)&ChallengeResponseMessage->LogonDomainName; UserName = *(PSTRING)&ChallengeResponseMessage->UserName; Workstation = *(PSTRING)&NtLmGlobalUnicodeComputerNameString; } else { Status = RtlUpcaseUnicodeStringToOemString( &DomainName, &ChallengeResponseMessage->LogonDomainName, TRUE);
if ( !NT_SUCCESS(Status) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: RtlUpcaseUnicodeToOemString (DomainName) returned 0x%lx.\n", Status)); SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY); goto Cleanup; }
Status = RtlUpcaseUnicodeStringToOemString( &UserName, &ChallengeResponseMessage->UserName, TRUE);
if ( !NT_SUCCESS(Status) ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: RtlUpcaseUnicodeToOemString (UserName) returned 0x%lx.\n", Status)); SecStatus = SspNtStatusToSecStatus( Status, SEC_E_INSUFFICIENT_MEMORY); goto Cleanup; } Workstation = NtLmGlobalOemComputerNameString;
}
//
// Save the ChallengeResponses
//
LmChallengeResponse = ChallengeResponseMessage->CaseInsensitiveChallengeResponse; NtChallengeResponse = ChallengeResponseMessage->CaseSensitiveChallengeResponse;
//
// prepare to send encrypted randomly generated session key
//
DatagramSessionKey.Buffer = (CHAR*)DatagramKey; DatagramSessionKey.Length = DatagramSessionKey.MaximumLength = 0;
//
// Generate the session key, or encrypt the previosly generated random one,
// from various bits of info. Fill in session key if needed.
//
SecStatus = SsprMakeSessionKey( Context, &LmChallengeResponse, ChallengeResponseMessage->UserSessionKey, ChallengeResponseMessage->LanmanSessionKey, &DatagramSessionKey );
if (SecStatus != SEC_E_OK) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: SsprMakeSessionKey\n")); goto Cleanup; }
}
//
// If the caller specified SEQUENCE_DETECT or REPLAY_DETECT,
// that means they want to use the MakeSignature/VerifySignature
// calls. Add this to the returned attributes and the context
// negotiate flags.
//
if ((Context->NegotiateFlags & ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) || (ContextReqFlags & ISC_REQ_REPLAY_DETECT)) {
Context->ContextFlags |= ISC_RET_REPLAY_DETECT; *ContextAttributes |= ISC_RET_REPLAY_DETECT; Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SIGN; }
if ((Context->NegotiateFlags & ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) || (ContextReqFlags & ISC_REQ_SEQUENCE_DETECT)) {
Context->ContextFlags |= ISC_RET_SEQUENCE_DETECT; *ContextAttributes |= ISC_RET_SEQUENCE_DETECT; Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SIGN; }
if ((Context->NegotiateFlags & ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) || (ContextReqFlags & ISC_REQ_INTEGRITY)) {
Context->ContextFlags |= ISC_RET_INTEGRITY; *ContextAttributes |= ISC_RET_INTEGRITY; Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SIGN; }
if ((Context->NegotiateFlags & ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) || (ContextReqFlags & ISC_REQ_CONFIDENTIALITY)) { if (NtLmGlobalEncryptionEnabled) { Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_SEAL; Context->ContextFlags |= ISC_REQ_CONFIDENTIALITY; *ContextAttributes |= ISC_REQ_CONFIDENTIALITY; } else { SecStatus = STATUS_NOT_SUPPORTED; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: NtLmGlobalEncryption not enabled.\n")); goto Cleanup; } }
if ((Context->NegotiateFlags & ChallengeMessage->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) == NTLMSSP_NEGOTIATE_DATAGRAM ) { *ContextAttributes |= ISC_RET_DATAGRAM; Context->ContextFlags |= ISC_RET_DATAGRAM; Context->NegotiateFlags |= NTLMSSP_NEGOTIATE_DATAGRAM; }
//
// Slip in the hacky mutual auth override here:
//
if ( ((ContextReqFlags & ISC_REQ_MUTUAL_AUTH) != 0 ) && (NtLmGlobalMutualAuthLevel < 2 ) ) {
*ContextAttributes |= ISC_RET_MUTUAL_AUTH ;
if ( NtLmGlobalMutualAuthLevel == 0 ) { Context->ContextFlags |= ISC_RET_MUTUAL_AUTH ; }
}
if( (Context->NegotiateFlags & NTLMSSP_NEGOTIATE_LOCAL_CALL) && (ContextReqFlags & ISC_REQ_DELEGATE) ) { //
// for loopback, we can indeed support another hop.
//
*ContextAttributes |= ISC_RET_DELEGATE; Context->ContextFlags |= ISC_RET_DELEGATE; }
//
// Allocate an authenticate message
//
AuthenticateMessageSize = sizeof(*AuthenticateMessage) + LmChallengeResponse.Length + NtChallengeResponse.Length + DomainName.Length + UserName.Length + Workstation.Length + DatagramSessionKey.Length;
if ((ContextReqFlags & ISC_REQ_ALLOCATE_MEMORY) == 0) { if ( AuthenticateMessageSize > *OutputTokenSize ) { SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: OutputTokenSize is 0x%lx.\n", *OutputTokenSize)); SecStatus = SEC_E_BUFFER_TOO_SMALL; goto Cleanup; } }
AuthenticateMessage = (PAUTHENTICATE_MESSAGE) NtLmAllocateLsaHeap(AuthenticateMessageSize );
if ( AuthenticateMessage == NULL ) { SecStatus = STATUS_NO_MEMORY; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Error allocating AuthenticateMessage.\n" )); goto Cleanup; }
//
// Build the authenticate message
//
strcpy( (char *)AuthenticateMessage->Signature, NTLMSSP_SIGNATURE ); AuthenticateMessage->MessageType = NtLmAuthenticate;
Where = (PCHAR)(AuthenticateMessage+1);
//
// Copy the strings needing 2 byte alignment.
//
SspContextCopyString( AuthenticateMessage, &AuthenticateMessage->DomainName, &DomainName, &Where );
SspContextCopyString( AuthenticateMessage, &AuthenticateMessage->UserName, &UserName, &Where );
SspContextCopyString( AuthenticateMessage, &AuthenticateMessage->Workstation, &Workstation, &Where );
//
// Copy the strings not needing special alignment.
//
SspContextCopyString( AuthenticateMessage, &AuthenticateMessage->LmChallengeResponse, &LmChallengeResponse, &Where );
SspContextCopyString( AuthenticateMessage, &AuthenticateMessage->NtChallengeResponse, &NtChallengeResponse, &Where );
SspContextCopyString( AuthenticateMessage, &AuthenticateMessage->SessionKey, &DatagramSessionKey, &Where );
AuthenticateMessage->NegotiateFlags = Context->NegotiateFlags;
SspPrint(( SSP_NEGOTIATE_FLAGS, "SsprHandleChallengeMessage: ChallengeFlags: %lx AuthenticateFlags: %lx\n", ChallengeMessage->NegotiateFlags, AuthenticateMessage->NegotiateFlags ));
//
// Copy the AuthenticateMessage to the caller's address space.
//
if ((ContextReqFlags & ISC_REQ_ALLOCATE_MEMORY) == 0) { RtlCopyMemory( *OutputToken, AuthenticateMessage, AuthenticateMessageSize ); } else { *OutputToken = AuthenticateMessage; AuthenticateMessage = NULL; *ContextAttributes |= ISC_RET_ALLOCATED_MEMORY; }
*OutputTokenSize = AuthenticateMessageSize;
// we need to send a second token back for the rdr
if (fCallFromRedir) { NtLmInitializeResponse = (PNTLM_INITIALIZE_RESPONSE) NtLmAllocateLsaHeap(sizeof(NTLM_INITIALIZE_RESPONSE));
if ( NtLmInitializeResponse == NULL ) { SecStatus = STATUS_NO_MEMORY; SspPrint(( SSP_CRITICAL, "SsprHandleChallengeMessage: Error allocating NtLmInitializeResponse.\n" )); goto Cleanup; } RtlCopyMemory( NtLmInitializeResponse->UserSessionKey, ChallengeResponseMessage->UserSessionKey, MSV1_0_USER_SESSION_KEY_LENGTH );
RtlCopyMemory( NtLmInitializeResponse->LanmanSessionKey, ChallengeResponseMessage->LanmanSessionKey, MSV1_0_LANMAN_SESSION_KEY_LENGTH ); *SecondOutputToken = NtLmInitializeResponse; NtLmInitializeResponse = NULL; *SecondOutputTokenSize = sizeof(NTLM_INITIALIZE_RESPONSE); }
SspPrint((SSP_API_MORE,"Client session key = %p\n",Context->SessionKey));
//
// Return output parameters to the caller.
//
*ExpirationTime = SspContextGetTimeStamp( Context, TRUE );
SecStatus = STATUS_SUCCESS;
//
// Free and locally used resources.
//
Cleanup:
if( RevealedPassword.Buffer != NULL ) { ZeroMemory( RevealedPassword.Buffer, RevealedPassword.Length ); NtLmFreePrivateHeap( RevealedPassword.Buffer ); }
if( ServerContext != NULL ) { SspContextDereferenceContext( ServerContext ); }
if ( Context != NULL ) {
Context->LastStatus = SecStatus; Context->DownLevel = fCallFromRedir;
//
// Don't allow this context to be used again.
//
if ( NT_SUCCESS(SecStatus) ) { Context->State = AuthenticateSentState; } else if ( SecStatus == SEC_I_CALL_NTLMSSP_SERVICE ) { Context->State = PassedToServiceState; } else { Context->State = IdleState; }
RtlCopyMemory( SessionKey, Context->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH );
*NegotiateFlags = Context->NegotiateFlags;
// If we just created the context (because rdr may be talking to
// a pre NT 5.0 server,, we need to dereference it again.
if (fCallFromRedir && !NT_SUCCESS(SecStatus)) { PSSP_CONTEXT LocalContext; SspContextReferenceContext( *ContextHandle, TRUE, &LocalContext ); ASSERT(LocalContext != NULL); if (LocalContext != NULL) { SspContextDereferenceContext( LocalContext ); } }
SspContextDereferenceContext( Context );
}
if(szCredTargetPreDFSServer != NULL) { NtLmFreePrivateHeap( szCredTargetPreDFSServer ); }
if(szCredTargetDomain != NULL) { NtLmFreePrivateHeap( szCredTargetDomain ); }
if(szCredTargetServer != NULL) { NtLmFreePrivateHeap( szCredTargetServer ); }
if(szCredTargetDnsDomain != NULL) { NtLmFreePrivateHeap( szCredTargetDnsDomain ); }
if(szCredTargetDnsServer != NULL) { NtLmFreePrivateHeap( szCredTargetDnsServer ); }
if(szCredTargetDnsTree != NULL) { NtLmFreePrivateHeap( szCredTargetDnsTree ); }
if ( ChallengeMessage != NULL ) { (VOID) NtLmFreePrivateHeap( ChallengeMessage ); }
if ( AuthenticateMessage != NULL ) { (VOID) NtLmFreeLsaHeap( AuthenticateMessage ); }
if ( ChallengeResponseMessage != NULL ) { (VOID) LsaFunctions->FreeLsaHeap( ChallengeResponseMessage ); }
if ( !DoUnicode ) { RtlFreeUnicodeString( &TargetName );
if ( DomainName.Buffer != NULL) { RtlFreeOemString( &DomainName ); } if ( UserName.Buffer != NULL) { RtlFreeOemString( &UserName ); } }
RtlFreeUnicodeString( &DefectiveTargetName );
if( ClientTokenHandle ) { CloseHandle( ClientTokenHandle ); }
if(GetChallengeResponse && (GetChallengeResponse!=&TempChallengeResponse)){ SafeAllocaFree(GetChallengeResponse); }
SspPrint(( SSP_API_MORE, "Leaving SsprHandleChallengeMessage: 0x%lx\n", SecStatus )); return SecStatus;
}
NTSTATUSCredpParseUserName( IN OUT LPWSTR ParseName, OUT LPWSTR* pUserName, OUT LPWSTR* pDomainName )
/*++
Routine Description:
This routine separates a passed in user name into domain and username. A user name must have one of the following two syntaxes:
<DomainName>\<UserName> <UserName>@<DnsDomainName>
The name is considered to have the first syntax if the string contains an \. A string containing a @ is ambiguous since <UserName> may contain an @.
For the second syntax, the last @ in the string is used since <UserName> may contain an @ but <DnsDomainName> cannot.
Arguments:
ParseName - Name of user to validate - will be modified
pUserName - Returned pointing to canonical name inside of ParseName
pDomainName - Returned pointing to domain name inside of ParseName
Return Values:
The following status codes may be returned:
STATUS_INVALID_ACCOUNT_NAME - The user name is not valid.
--*/
{
LPWSTR SlashPointer;
*pUserName = NULL; *pDomainName = NULL;
//
// NULL is invalid
//
if ( ParseName == NULL ) { return STATUS_INVALID_ACCOUNT_NAME; }
//
// Classify the input account name.
//
// The name is considered to be <DomainName>\<UserName> if the string
// contains an \.
//
SlashPointer = wcsrchr( ParseName, L'\\' );
if ( SlashPointer != NULL ) {
//
// point the output strings
//
*pDomainName = ParseName;
//
// Skip the backslash
//
*SlashPointer = L'\0'; SlashPointer ++;
*pUserName = SlashPointer;
} else {
//
// it's a UPN.
// leave it intact in the UserName field.
// set the DomainName to empty string, so the rest of the logon code
// avoids filling in the default.
//
*pUserName = ParseName; *pDomainName = L""; }
return STATUS_SUCCESS;}
NTSTATUSCopyCredManCredentials( IN PLUID LogonId, CREDENTIAL_TARGET_INFORMATIONW* pTargetInfo, IN OUT PSSP_CONTEXT Context, IN BOOLEAN fShareLevel )
/*++
Routine Description:
Look for a keyring credential entry for the specified domain, and copy to Context handle if found
Arguments:
LogonId -- LogonId of the calling process.
pTargetInfo -- Information on target to search for creds.
Context - Points to the ContextHandle of the Context to be referenced.
Return Value:
STATUS_SUCCESS -- All OK
STATUS_NOT_FOUND - Credential couldn't be found.
All others are real failures and should be returned to the caller.--*/
{ NTSTATUS Status; PENCRYPTED_CREDENTIALW *EncryptedCredentials = NULL; PCREDENTIALW *Credentials = NULL; ULONG CredentialCount; WCHAR* UserName = NULL; WCHAR* DomainName = NULL; ULONG CredIndex;
if (!Context) // validate context only after call to Lookup
{ return STATUS_NOT_FOUND; }
Status = LsaFunctions->CrediReadDomainCredentials( LogonId, CREDP_FLAGS_IN_PROCESS, // Allow password to be returned
pTargetInfo, 0, // no flags
&CredentialCount, &EncryptedCredentials );
Credentials = (PCREDENTIALW *)EncryptedCredentials;
if(!NT_SUCCESS(Status)) { //
// Ideally, only STATUS_NO_SUCH_LOGON_SESSION should be converted to
// STATUS_NOT_FOUND. However, swallowing all failures and asserting
// these specific two works around a bug in CrediReadDomainCredentials
// which returns invalid parameter if the target is a user account name.
// Eventually, CrediReadDomainCredentials should return a more appropriate
// error in this case.
//
SspPrint(( SSP_API_MORE, "CopyCredManCredentials: CrediReadDomainCredentials returned %x\n", Status )); ASSERT( (Status == STATUS_NO_SUCH_LOGON_SESSION)|| (Status == STATUS_INVALID_PARAMETER)|| (Status == STATUS_NOT_FOUND) ); return STATUS_NOT_FOUND; }
//
// Loop through the list of credentials
//
for ( CredIndex=0; CredIndex<CredentialCount; CredIndex++ ) {
UNICODE_STRING TempString;
//
// NTLM only supports password credentials
//
if ( Credentials[CredIndex]->Type != CRED_TYPE_DOMAIN_PASSWORD ) { continue; }
if ( Credentials[CredIndex]->Flags & CRED_FLAGS_PROMPT_NOW ) { Status = SEC_E_LOGON_DENIED; goto Cleanup; }
//
// Sanity check the credential
//
if ( Credentials[CredIndex]->UserName == NULL ) { Status = STATUS_NOT_FOUND; goto Cleanup; }
//
// For Share level connects, don't allow matching against * creds.
//
if( fShareLevel ) { if( (Credentials[CredIndex]->TargetName) && (wcschr( Credentials[CredIndex]->TargetName, L'*' ) != NULL) ) { continue; } }
//
// Convert the UserName to domain name and user name
//
Status = CredpParseUserName ( Credentials[CredIndex]->UserName, &UserName, &DomainName );
if(!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Free the existing domain name and add the new one
//
if (Context->DomainName.Buffer) { NtLmFreePrivateHeap (Context->DomainName.Buffer); Context->DomainName.Buffer = NULL; Context->DomainName.Length = 0; }
if( DomainName ) { RtlInitUnicodeString( &TempString, DomainName );
Status = NtLmDuplicateUnicodeString(&Context->DomainName, &TempString); if ( !NT_SUCCESS( Status ) ) { goto Cleanup; } }
//
// Free the existing user name and add the new one
//
RtlInitUnicodeString( &TempString, UserName );
if (Context->UserName.Buffer) { NtLmFreePrivateHeap (Context->UserName.Buffer); Context->UserName.Buffer = NULL; }
Status = NtLmDuplicateUnicodeString(&Context->UserName, &TempString); if ( !NT_SUCCESS( Status ) ) { goto Cleanup; }
//
// Free the existing password and add the new one
//
TempString.Buffer = (LPWSTR)Credentials[CredIndex]->CredentialBlob; TempString.MaximumLength = (USHORT) Credentials[CredIndex]->CredentialBlobSize; TempString.Length = (USHORT) EncryptedCredentials[CredIndex]->ClearCredentialBlobSize;
if (Context->Password.Buffer) { NtLmFreePrivateHeap (Context->Password.Buffer); Context->Password.Buffer = NULL; }
// zero length password must be treated as blank or NTLM will assume it should use the
// password of the currently logged in user.
if ( TempString.Length == 0 ) { TempString.Buffer = L""; }
Status = NtLmDuplicatePassword(&Context->Password, &TempString); if ( !NT_SUCCESS( Status ) ) { goto Cleanup; }
goto Cleanup; }
Status = STATUS_NOT_FOUND;
Cleanup:
//
// Free the returned credentials
//
LsaFunctions->CrediFreeCredentials( CredentialCount, EncryptedCredentials );
return Status;}
NTSTATUSCredpExtractMarshalledTargetInfo( IN PUNICODE_STRING TargetServerName, OUT CREDENTIAL_TARGET_INFORMATIONW **pTargetInfo ){ PWSTR Candidate; ULONG CandidateSize;
CREDENTIAL_TARGET_INFORMATIONW *OldTargetInfo = NULL; NTSTATUS Status = STATUS_SUCCESS;
//
// LSA will set Length to include only the non-marshalled portion,
// with MaximumLength trailing data to include marshalled portion.
//
if( (TargetServerName == NULL) || (TargetServerName->Buffer == NULL) || (TargetServerName->Length >= TargetServerName->MaximumLength) || ((TargetServerName->MaximumLength - TargetServerName->Length) < (sizeof( CREDENTIAL_TARGET_INFORMATIONW )/(sizeof(ULONG_PTR)/2)) ) ) { return STATUS_SUCCESS; }
RtlCopyMemory( &CandidateSize, (PBYTE)TargetServerName->Buffer + TargetServerName->MaximumLength - sizeof(ULONG), sizeof( CandidateSize ) );
if( CandidateSize >= TargetServerName->MaximumLength ) { return STATUS_SUCCESS; }
Candidate = (PWSTR)( (PBYTE)TargetServerName->Buffer + TargetServerName->MaximumLength - CandidateSize );
OldTargetInfo = *pTargetInfo;
Status = CredUnmarshalTargetInfo ( Candidate, CandidateSize, pTargetInfo );
if( !NT_SUCCESS(Status) ) { if( Status == STATUS_INVALID_PARAMETER ) { Status = STATUS_SUCCESS; } }
if( OldTargetInfo != NULL ) { LocalFree( OldTargetInfo ); }
return Status ;}
NTSTATUSCredpProcessUserNameCredential( IN PUNICODE_STRING MarshalledUserName, OUT PUNICODE_STRING UserName, OUT PUNICODE_STRING DomainName, OUT PUNICODE_STRING Password ){ WCHAR FastUserName[ UNLEN+1 ]; LPWSTR SlowUserName = NULL; LPWSTR TempUserName; CRED_MARSHAL_TYPE CredMarshalType; PUSERNAME_TARGET_CREDENTIAL_INFO pCredentialUserName = NULL;
CREDENTIAL_TARGET_INFORMATIONW TargetInfo; ULONG CredTypes;
SECPKG_CLIENT_INFO ClientInfo; SSP_CONTEXT SspContext; NTSTATUS Status = STATUS_NOT_FOUND;
ZeroMemory( &SspContext, sizeof(SspContext) );
if( (MarshalledUserName->Length+sizeof(WCHAR)) <= sizeof(FastUserName) ) { TempUserName = FastUserName; } else {
SlowUserName = (LPWSTR)NtLmAllocatePrivateHeap( MarshalledUserName->Length + sizeof(WCHAR) ); if( SlowUserName == NULL ) { return STATUS_INSUFFICIENT_RESOURCES; }
TempUserName = SlowUserName; }
//
// copy the input to a NULL terminated string, then attempt to unmarshal it.
//
RtlCopyMemory( TempUserName, MarshalledUserName->Buffer, MarshalledUserName->Length );
TempUserName[ MarshalledUserName->Length / sizeof(WCHAR) ] = L'\0';
if(!CredUnmarshalCredentialW( TempUserName, &CredMarshalType, (VOID**)&pCredentialUserName )) { goto Cleanup; }
if( (CredMarshalType != UsernameTargetCredential) ) { goto Cleanup; }
//
// now query credential manager for a match.
//
Status = LsaFunctions->GetClientInfo(&ClientInfo); if(!NT_SUCCESS(Status)) { goto Cleanup; }
ZeroMemory( &TargetInfo, sizeof(TargetInfo) );
CredTypes = CRED_TYPE_DOMAIN_PASSWORD;
TargetInfo.Flags = CRED_TI_USERNAME_TARGET; TargetInfo.TargetName = pCredentialUserName->UserName; TargetInfo.PackageName = NTLMSP_NAME; TargetInfo.CredTypeCount = 1; TargetInfo.CredTypes = &CredTypes;
Status = CopyCredManCredentials( &ClientInfo.LogonId, &TargetInfo, &SspContext, FALSE );
if(!NT_SUCCESS(Status)) { goto Cleanup; }
*UserName = SspContext.UserName; *DomainName = SspContext.DomainName; *Password = SspContext.Password; SspRevealPassword( Password );
Status = STATUS_SUCCESS;
Cleanup:
if(!NT_SUCCESS(Status)) { NtLmFreePrivateHeap( SspContext.UserName.Buffer ); NtLmFreePrivateHeap( SspContext.DomainName.Buffer ); NtLmFreePrivateHeap( SspContext.Password.Buffer ); }
if( SlowUserName ) { NtLmFreePrivateHeap( SlowUserName ); }
if( pCredentialUserName != NULL ) { CredFree( pCredentialUserName ); }
return Status;}
#if 0
//+-------------------------------------------------------------------------
//
// Function: SpQueryLsaModeContextAttributes
//
// Synopsis: Querys attributes of the specified context
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
ULONG SavedUseValidated = 0xFF;WCHAR SavedCredentialName[1024] = L"SaveMe";ULONG SavedCredentialType = 0x22;
ULONG SavedCredTypes = CRED_TYPE_DOMAIN_PASSWORD;CREDENTIAL_TARGET_INFORMATIONW SavedTargetInfo = { L"ntdsdc9", L"NTDSDC9", L"NTDSDC9.ntdev.microsoft.com", L"NTDEV", L"ntdev.microsoft.com", L"ntdev.microsoft.com", L"NTLM", 0, 1, &SavedCredTypes};
NTSTATUS NTAPISpQueryLsaModeContextAttributes( IN LSA_SEC_HANDLE ContextHandle, IN ULONG ContextAttribute, IN OUT PVOID Buffer ){ NTSTATUS Status = STATUS_SUCCESS; DWORD WinStatus; PSSP_CONTEXT Context = NULL; SecPkgContext_CredentialNameW CredentialNameInfo; ULONG CredentialNameSize; LPWSTR UserCredentialName;
PCREDENTIAL_TARGET_INFORMATIONW TempTargetInfo = NULL; ULONG TempTargetInfoSize; PCREDENTIAL_TARGET_INFORMATIONW UserTargetInfo; SecPkgContext_TargetInformationW TargetInfo;
SspPrint((SSP_API, "Entering SpQueryLsaModeContextAttributes for ctxt:0x%x, Attr:0x%x\n", ContextHandle, ContextAttribute));
//
// Find the currently existing context.
//
Status = SspContextReferenceContext( ContextHandle, FALSE, &Context );
if ( !NT_SUCCESS(Status) ) { SspPrint(( SSP_CRITICAL, "SpQueryLsaModeContextAttributes: invalid context handle.\n" )); goto Cleanup; }
//
// Return the appropriate information
//
switch(ContextAttribute) { case SECPKG_ATTR_CREDENTIAL_NAME:
CredentialNameSize = (wcslen(SavedCredentialName) + 1) * sizeof(WCHAR);
Status = LsaFunctions->AllocateClientBuffer( NULL, CredentialNameSize, (PVOID *) &UserCredentialName );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
// Copy the name to the user's address space
Status = LsaFunctions->CopyToClientBuffer( NULL, CredentialNameSize, UserCredentialName, SavedCredentialName );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
// Copy the struct itself to the user's address space
CredentialNameInfo.CredentialType = SavedCredentialType; CredentialNameInfo.sCredentialName = UserCredentialName;
Status = LsaFunctions->CopyToClientBuffer( NULL, sizeof(CredentialNameInfo), Buffer, &CredentialNameInfo );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
break;
case SECPKG_ATTR_TARGET_INFORMATION:
//
// Marshall the target info into a single buffer.
//
WinStatus = CredpConvertTargetInfo ( DoWtoW, &SavedTargetInfo, &TempTargetInfo, &TempTargetInfoSize );
if ( WinStatus != NO_ERROR ) { Status = STATUS_NO_MEMORY; goto Cleanup; }
//
// Allocate a buffer the same size in the client's address space.
//
Status = LsaFunctions->AllocateClientBuffer( NULL, TempTargetInfoSize, (PVOID *) &UserTargetInfo );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Relocate all pointers to be user-buffer-specific
// YUCK!!
//
TempTargetInfo->TargetName = (LPWSTR)( ((LPBYTE)(TempTargetInfo->TargetName)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) ); TempTargetInfo->NetbiosServerName = (LPWSTR)( ((LPBYTE)(TempTargetInfo->NetbiosServerName)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) ); TempTargetInfo->DnsServerName = (LPWSTR)( ((LPBYTE)(TempTargetInfo->DnsServerName)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) );
TempTargetInfo->NetbiosDomainName = (LPWSTR)( ((LPBYTE)(TempTargetInfo->NetbiosDomainName)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) ); TempTargetInfo->DnsDomainName = (LPWSTR)( ((LPBYTE)(TempTargetInfo->DnsDomainName)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) ); TempTargetInfo->DnsTreeName = (LPWSTR)( ((LPBYTE)(TempTargetInfo->DnsTreeName)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) ); TempTargetInfo->PackageName = (LPWSTR)( ((LPBYTE)(TempTargetInfo->PackageName)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) ); TempTargetInfo->CredTypes = (LPDWORD)( ((LPBYTE)(TempTargetInfo->CredTypes)) - ((LPBYTE)(TempTargetInfo)) + ((LPBYTE)UserTargetInfo) );
//
// Copy the target info to the user's address space
//
Status = LsaFunctions->CopyToClientBuffer( NULL, TempTargetInfoSize, UserTargetInfo, TempTargetInfo );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Copy the struct itself to the user's address space
//
TargetInfo.TargetInformation = UserTargetInfo;
Status = LsaFunctions->CopyToClientBuffer( NULL, sizeof(TargetInfo), Buffer, &TargetInfo );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
break;
default: Status = STATUS_NOT_SUPPORTED; break; }
Cleanup: if (Context != NULL) { SspContextDereferenceContext( Context ); } if ( TempTargetInfo != NULL ) { CredFree( TempTargetInfo ); }
SspPrint((SSP_API, "Leaving SpQueryLsaModeContextAttributes for ctxt:0x%x, Attr:0x%x\n", ContextHandle, ContextAttribute));
return (SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));}
//+-------------------------------------------------------------------------
//
// Function: SpSetContextAttributes
//
// Synopsis: Set attributes of the specified context
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPISpSetContextAttributes( IN LSA_SEC_HANDLE ContextHandle, IN ULONG ContextAttribute, IN PVOID Buffer, IN ULONG BufferSize ){ NTSTATUS Status = STATUS_SUCCESS; PSSP_CONTEXT Context = NULL; PSecPkgContext_CredentialNameW CredentialNameInfo; ULONG CredentialNameSize; LPBYTE LocalBuffer = NULL;
SspPrint((SSP_API, "Entering SpSetContextAttributes for ctxt:0x%x, Attr:0x%x\n", ContextHandle, ContextAttribute));
//
// Find the currently existing context.
//
Status = SspContextReferenceContext( ContextHandle, FALSE, &Context );
if ( !NT_SUCCESS(Status) ) { SspPrint(( SSP_CRITICAL, "SpSetContextAttributes: invalid context handle.\n" )); goto Cleanup; }
//
// Grab a local copy of the data
//
// Sanity check this size before allocating
LocalBuffer = (LPBYTE) NtLmAllocatePrivateHeap( BufferSize );
if ( LocalBuffer == NULL ) { Status = STATUS_NO_MEMORY; goto Cleanup; }
Status = LsaFunctions->CopyFromClientBuffer( NULL, BufferSize, LocalBuffer, Buffer );
if (!NT_SUCCESS(Status)) { goto Cleanup; }
//
// Return the appropriate information
//
switch(ContextAttribute) { case SECPKG_ATTR_USE_VALIDATED:
if ( BufferSize != sizeof(SavedUseValidated) ) { Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
SavedUseValidated = *(LPDWORD)LocalBuffer; break;
case SECPKG_ATTR_CREDENTIAL_NAME:
if ( BufferSize <= sizeof(SecPkgContext_CredentialNameW) ) { Status = STATUS_INVALID_PARAMETER; goto Cleanup; }
// Sanity check the pointer and the contained string.
CredentialNameInfo = (PSecPkgContext_CredentialNameW) LocalBuffer; SavedCredentialType = CredentialNameInfo->CredentialType;
// I'm guessing at the offset of the string.
wcscpy( SavedCredentialName, (LPWSTR)(CredentialNameInfo+1) );
break;
default: Status = STATUS_NOT_SUPPORTED; break; }
Cleanup: if (Context != NULL) { SspContextDereferenceContext( Context ); } if ( LocalBuffer != NULL ) { NtLmFreePrivateHeap( LocalBuffer ); }
SspPrint((SSP_API, "Leaving SpSetContextAttributes for ctxt:0x%x, Attr:0x%x\n", ContextHandle, ContextAttribute));
return (SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));}
#endif
|
