|
|
//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 1991 - 1992
//
// File: tickets.c
//
// Contents: Ticket bundling code
//
//
// History: 6 Dec 91, RichardW Created
// 04 Jun 92 RichardW NT-ized
// 08-Jun-93 WadeR Converted to C++, rewrote packing code
//
//------------------------------------------------------------------------
#ifdef WIN32_CHICAGO
#include<kerb.hxx>
#include<kerbp.h>
#endif // WIN32_CHICAGO
#ifndef WIN32_CHICAGO
extern "C"{#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <windows.h>
#include <ntlsa.h>
#include <samrpc.h>
#include <samisrv.h>
#include <lsarpc.h>
#include <lsaisrv.h>
#include <lsaitf.h>
#include <wincrypt.h>
}#include <kerbcomm.h>
#include <kerberr.h>
#include <kerbcon.h>
#include <midles.h>
#include <authen.hxx>
#include <tostring.hxx>
#include "debug.h"
#include "fileno.h"
#else// WIN32_CHICAGO
#include "tostring.hxx"
#endif // WIN32_CHICAGO
#include <utils.hxx>
#define FILENO FILENO_TICKETS
//
// Debugging support.
//
#ifndef WIN32_CHICAGO
#ifdef DEBUG_SUPPORT
DEBUG_KEY KSuppDebugKeys[] = { {DEB_ERROR, "Error"}, {DEB_WARN, "Warning"}, {DEB_TRACE, "Trace"}, {DEB_T_SOCK, "Sock"}, {0, NULL } };#endif
DEFINE_DEBUG_DEFER(KSupp, KSuppDebugKeys);#endif // WIN32_CHICAGO
RTL_CRITICAL_SECTION OssCriticalSection;BOOLEAN TicketsInitialized;BOOLEAN KerbUseFastDecodeAlloc = FALSE;
#define I_LsaIThreadAlloc MIDL_user_allocate
#define I_LsaIThreadFree MIDL_user_free
//+-------------------------------------------------------------------------
//
// Function: KerbConvertGeneralizedTimeToLargeInt
//
// Synopsis: Converts a generalized time (ASN.1 format) to a large integer
// (NT format)
//
// Effects:
//
// Arguments: TimeStamp - receives NT-style time
// ClientTime - client generalized time
// ClientUsec - client micro second count
//
// Requires: none
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbConvertGeneralizedTimeToLargeInt( OUT PTimeStamp TimeStamp, IN PKERB_TIME ClientTime, IN int ClientUsec ){ KERB_TIME ZeroTime; TIME_FIELDS TimeFields;
//
// Special case zero time
//
RtlZeroMemory( &ZeroTime, sizeof(KERB_TIME) );
ZeroTime.universal = TRUE;
//
// Skip this check after 3/1/97 - no clients should send this sort of
// zero time
//
if (RtlEqualMemory( &ZeroTime, ClientTime, sizeof(KERB_TIME) )) {#ifndef WIN32_CHICAGO
TimeStamp->QuadPart = 0;#else // WIN32_CHICAGO
*TimeStamp = 0;#endif // WIN32_CHICAGO
return; }
//
// Check for MIT zero time
//
ZeroTime.year = 1970; ZeroTime.month = 1; ZeroTime.day = 1;
if (RtlEqualMemory( &ZeroTime, ClientTime, sizeof(KERB_TIME) )) {#ifndef WIN32_CHICAGO
TimeStamp->QuadPart = 0;#else // WIN32_CHICAGO
*TimeStamp = 0;#endif // WIN32_CHICAGO
return; } else { TimeFields.Year = ClientTime->year; TimeFields.Month = ClientTime->month; TimeFields.Day = ClientTime->day; TimeFields.Hour = ClientTime->hour; TimeFields.Minute = ClientTime->minute; TimeFields.Second = ClientTime->second; TimeFields.Milliseconds = ClientTime->millisecond; // to convert from micro to milli
TimeFields.Weekday = 0;
#ifndef WIN32_CHICAGO
RtlTimeFieldsToTime( &TimeFields, TimeStamp );#else // WIN32_CHICAGO
LARGE_INTEGER TempTimeStamp; RtlTimeFieldsToTime( &TimeFields, &TempTimeStamp ); *TimeStamp = TempTimeStamp.QuadPart;#endif // WIN32_CHICAGO
//
// add in any micro seconds
//
#ifndef WIN32_CHICAGO
TimeStamp->QuadPart += ClientUsec * 10;#else // WIN32_CHICAGO
*TimeStamp += ClientUsec * 10;#endif // WIN32_CHICAGO
}
}
//+-------------------------------------------------------------------------
//
// Function: KerbConvertLargeIntToGeneralizedTime
//
// Synopsis: Converts a large integer to ageneralized time
//
// Effects:
//
// Arguments: ClientTime - receives generalized time
// ClientUsec - receives micro second count
// TimeStamp - contains NT-style time
//
// Requires: none
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbConvertLargeIntToGeneralizedTime( OUT PKERB_TIME ClientTime, OUT OPTIONAL int * ClientUsec, IN PTimeStamp TimeStamp ){ TIME_FIELDS TimeFields;
//
// Special case zero time
//
#ifndef WIN32_CHICAGO
if (TimeStamp->QuadPart == 0)#else // WIN32_CHICAGO
if (*TimeStamp == 0)#endif // WIN32_CHICAGO
{ RtlZeroMemory( ClientTime, sizeof(KERB_TIME) ); //
// For MIT compatibility, time zero is 1/1/70
//
ClientTime->year = 1970; ClientTime->month = 1; ClientTime->day = 1;
if (ARGUMENT_PRESENT(ClientUsec))
{ *ClientUsec = 0; } ClientTime->universal = TRUE; } else {
#ifndef WIN32_CHICAGO
RtlTimeToTimeFields( TimeStamp, &TimeFields );#else // WIN32_CHICAGO
RtlTimeToTimeFields( (LARGE_INTEGER*)TimeStamp, &TimeFields );#endif // WIN32_CHICAGO
//
// Generalized times can only contains years up to four digits.
//
if (TimeFields.Year > 2037) { ClientTime->year = 2037; } else { ClientTime->year = TimeFields.Year; } ClientTime->month = (ASN1uint8_t) TimeFields.Month; ClientTime->day = (ASN1uint8_t) TimeFields.Day; ClientTime->hour = (ASN1uint8_t) TimeFields.Hour; ClientTime->minute = (ASN1uint8_t) TimeFields.Minute; ClientTime->second = (ASN1uint8_t) TimeFields.Second;
// MIT kerberos does not support millseconds
//
ClientTime->millisecond = 0;
if (ARGUMENT_PRESENT(ClientUsec)) { //
// Since we don't include milliseconds above, use the whole
// thing here.
//
#ifndef WIN32_CHICAGO
*ClientUsec = (TimeStamp->LowPart / 10) % 1000000;#else // WIN32_CHICAGO
*ClientUsec = (int) ((*TimeStamp / 10) % 1000000);#endif // WIN32_CHICAGO
}
ClientTime->diff = 0; ClientTime->universal = TRUE; }
}
VOIDKerbConvertLargeIntToGeneralizedTimeWrapper( OUT PKERB_TIME ClientTime, OUT OPTIONAL long * ClientUsec, IN PTimeStamp TimeStamp ){ int temp;
if (ClientUsec != NULL) { KerbConvertLargeIntToGeneralizedTime( ClientTime, &temp, TimeStamp );
*ClientUsec = temp; } else { KerbConvertLargeIntToGeneralizedTime( ClientTime, NULL, TimeStamp ); }}
//+-------------------------------------------------------------------------
//
// Function: KerbFreeHostAddresses
//
// Synopsis: Frees a host address allocated with KerbBuildHostAddresses
//
// Effects:
//
// Arguments: Addresses - The name to free
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreeHostAddresses( IN PKERB_HOST_ADDRESSES Addresses ){ PKERB_HOST_ADDRESSES Elem,NextElem;
Elem = Addresses; while (Elem != NULL) { if (Elem->value.address.value != NULL) { MIDL_user_free(Elem->value.address.value); } NextElem = Elem->next; MIDL_user_free(Elem); Elem = NextElem; }}
#ifndef WIN32_CHICAGO
//+-------------------------------------------------------------------------
//
// Function: KerbCheckTimeSkew
//
// Synopsis: Verifies the supplied time is within the skew of another
// supplied time
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
BOOLEANKerbCheckTimeSkew( IN PTimeStamp CurrentTime, IN PTimeStamp ClientTime, IN PTimeStamp AllowedSkew ){ TimeStamp TimePlus, TimeMinus;
TimePlus.QuadPart = CurrentTime->QuadPart + AllowedSkew->QuadPart; TimeMinus.QuadPart = CurrentTime->QuadPart - AllowedSkew->QuadPart;
if ((ClientTime->QuadPart > TimePlus.QuadPart) || (ClientTime->QuadPart < TimeMinus.QuadPart)) { return(FALSE); }
return(TRUE);}
//+-------------------------------------------------------------------------
//
// Function: KerbVerifyTicket
//
// Synopsis: Verifies that the specified ticket is valid by checking
// for valid times, flags, and server principal name. This is
// called by KerbCheckTicket to verify an AP request and by the
// KDC to verify additional tickets in TGS request
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbVerifyTicket( IN PKERB_TICKET PackedTicket, IN ULONG NameCount, IN OPTIONAL PUNICODE_STRING ServiceNames, IN PUNICODE_STRING ServiceRealm, IN PKERB_ENCRYPTION_KEY ServiceKey, IN OPTIONAL PTimeStamp SkewTime, OUT PKERB_ENCRYPTED_TICKET * DecryptedTicket ){ KERBERR KerbErr = KDC_ERR_NONE; UNICODE_STRING TicketRealm = {0}; PKERB_ENCRYPTED_TICKET EncryptPart = NULL; TimeStamp TimePlus, TimeMinus, TimeNow, StartTime,EndTime, Time2Plus; ULONG TicketFlags = 0;
#ifdef notedef
if ( ARGUMENT_PRESENT(ServiceNames) ) { ULONG Index;
KerbErr = KRB_AP_ERR_NOT_US;
//
// Loop through names looking for a match
//
for (Index = 0; Index < NameCount ; Index++ ) { if (KerbCompareStringToPrincipalName( &PackedTicket->server_name, &ServiceNames[Index] ) ) { KerbErr = KDC_ERR_NONE; break; }
} if (!KERB_SUCCESS(KerbErr)) { DebugLog(( DEB_WARN, "KLIN(%x) Ticket (%s) not for this service (%wZ).\n", KLIN(FILENO, __LINE__), PackedTicket->server_name.name_string->value, &ServiceNames[0] )); goto Cleanup; } }
if (ARGUMENT_PRESENT(ServiceRealm)) { KerbErr = KerbConvertRealmToUnicodeString( &TicketRealm, &PackedTicket->realm ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
if (!KerbCompareUnicodeRealmNames( &TicketRealm, ServiceRealm )) { KerbErr = KRB_AP_ERR_NOT_US; DebugLog(( DEB_WARN, "KLIN(%x) Ticket (%wZ) not for this realm (%wZ).\n", KLIN(FILENO, __LINE__), &TicketRealm, ServiceRealm )); goto Cleanup;
} }#endif
//
// Unpack ticket.
//
KerbErr = KerbUnpackTicket( PackedTicket, ServiceKey, &EncryptPart ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN, "KLIN(%x) KerbUnpackTicket failed: 0x%x", KLIN(FILENO, __LINE__), KerbErr)); goto Cleanup; }
if (PackedTicket->ticket_version != KERBEROS_VERSION) { DebugLog(( DEB_WARN, "KLIN(%x) Ticket has bad version %d\n", KLIN(FILENO, __LINE__),PackedTicket->ticket_version )); KerbErr = KRB_AP_ERR_BADVERSION; goto Cleanup; }
//
// If the caller provided a skew time, check the times on the ticket.
// Otherwise it is up to the caller to check that the ticket times are
// correct
//
if (ARGUMENT_PRESENT(SkewTime)) { //
// Check the times on the ticket. We do this last because when the KDC
// wants to renew a ticket, the timestamps may be incorrect, but it will
// accept the ticket anyway. This way the KDC can be certain when the
// times are wrong that everything else is OK.
//
GetSystemTimeAsFileTime((PFILETIME) &TimeNow );
#ifndef WIN32_CHICAGO
TimePlus.QuadPart = TimeNow.QuadPart + SkewTime->QuadPart; Time2Plus.QuadPart = TimePlus.QuadPart + SkewTime->QuadPart; TimeMinus.QuadPart = TimeNow.QuadPart - SkewTime->QuadPart; #else // WIN32_CHICAGO
TimePlus = TimeNow + *SkewTime; Time2Plus = TimePlus + *SkewTime; TimeMinus = TimeNow - *SkewTime; #endif // WIN32_CHICAGO
KerbConvertGeneralizedTimeToLargeInt( &EndTime, &EncryptPart->endtime, 0 );
//
// Did the ticket expire already?
//
#ifndef WIN32_CHICAGO
if ( EndTime.QuadPart < TimeMinus.QuadPart ) #else // WIN32_CHICAGO
if ( EndTime < TimeMinus ) #endif // WIN32_CHICAGO
{ DebugLog(( DEB_WARN, "KLIN(%x) KerbCheckTicket: ticket is expired.\n", KLIN(FILENO, __LINE__)));
KerbErr = KRB_AP_ERR_TKT_EXPIRED; goto Cleanup; }
//
// Is the ticket valid yet?
//
if (EncryptPart->bit_mask & KERB_ENCRYPTED_TICKET_starttime_present) { KerbConvertGeneralizedTimeToLargeInt( &StartTime, &EncryptPart->KERB_ENCRYPTED_TICKET_starttime, 0 );
TicketFlags = KerbConvertFlagsToUlong( &EncryptPart->flags ); //
// BUG 403734: Look into this a bit more
// We don't check for tickets that aren't valid yet, as
// our KDC doesn't normally hand out post dated tickets. As long
// as the end time is valid, that is good enough for us.
//
//
// Does the ticket start in the future? Allow twice the skew in
// the reverse direction.
//
#ifndef WIN32_CHICAGO
if ( (StartTime.QuadPart > Time2Plus.QuadPart) || #else // WIN32_CHICAGO
if ( (StartTime > Time2Plus) || #endif // WIN32_CHICAGO
((TicketFlags & KERB_TICKET_FLAGS_invalid) != 0 )) { KerbErr = KRB_AP_ERR_TKT_NYV; goto Cleanup; } } }
*DecryptedTicket = EncryptPart; EncryptPart = NULL;
Cleanup: if (EncryptPart != NULL) { KerbFreeTicket(EncryptPart); } KerbFreeString(&TicketRealm); return(KerbErr);}
//+---------------------------------------------------------------------------
//
// Function: KerbCheckTicket
//
// Synopsis: Decrypts a ticket and authenticator, verifies them.
//
// Effects: decrypts the ticket and authenticator (in place) allocates mem.
//
// Arguments: [PackedTicket] -- Encrypted ticket
// [PackedTicketSize] - Size of encrypted ticket
// [pedAuth] -- Encrypted authenticator
// [pkKey] -- Key to decrypt ticket with
// [alAuthenList] -- List of authenticators to check against
// [NameCount] -- Count of service names
// [pwzServiceName] -- Name of service (may be NULL).
// [CheckForReplay] -- If TRUE, check authenticator cache for replay
// [KdcRequest] -- If TRUE, this is the ticket in a TGS req
// [pkitTicket] -- Decrypted ticket
// [pkiaAuth] -- Decrypted authenticator
// [pkTicketKey] -- Session key from ticket
// [pkSessionKey] -- Session key to use
//
// Returns: KDC_ERR_NONE if everything is OK, else error.
//
// History: 4-04-93 WadeR Created
//
// Notes: The caller must call KerbFreeTicket and
// KerbFreeAuthenticator on pkitTicket and pkiaAuth,
// respectively.
//
// If pwzServiceName == NULL, it won't check the service name.
//
// See sections 3.2.3 and A.10 of the Kerberos V5 R5.2 spec
//
//----------------------------------------------------------------------------
KERBERR NTAPIKerbCheckTicket( IN PKERB_TICKET PackedTicket, IN PKERB_ENCRYPTED_DATA EncryptedAuthenticator, IN PKERB_ENCRYPTION_KEY pkKey, IN OUT CAuthenticatorList * AuthenticatorList, IN PTimeStamp SkewTime, IN ULONG NameCount, IN PUNICODE_STRING ServiceNames, IN PUNICODE_STRING ServiceRealm, IN BOOLEAN CheckForReplay, IN BOOLEAN KdcRequest, OUT PKERB_ENCRYPTED_TICKET * EncryptTicket, OUT PKERB_AUTHENTICATOR * Authenticator, OUT OPTIONAL PKERB_ENCRYPTION_KEY pkTicketKey, OUT PKERB_ENCRYPTION_KEY pkSessionKey, OUT PBOOLEAN UseSubKey ){ NTSTATUS Status = STATUS_SUCCESS; KERBERR KerbErr = KDC_ERR_NONE; PKERB_ENCRYPTED_TICKET EncryptPart = NULL; LARGE_INTEGER AuthenticatorTime;
//
// The caller will free these, so we must make sure they are valid
// if we return before putting anything in them. This will zero out
// all of the pointers in them, so it's safe to free them later.
//
*EncryptTicket = NULL; *Authenticator = NULL; *UseSubKey = FALSE;
RtlZeroMemory( pkSessionKey, sizeof(KERB_ENCRYPTION_KEY) ); if (ARGUMENT_PRESENT(pkTicketKey)) { *pkTicketKey = *pkSessionKey; }
//
// Is the ticket for this service?
// ServerName in ticket is different length then ServerName passed in,
// or same length but contents don't match.
//
// If either of KerbUnpackTicket or KerbUnpackAuthenticator
// get bad data, they could access violate.
//
__try {
KerbErr = KerbVerifyTicket( PackedTicket, NameCount, ServiceNames, ServiceRealm, pkKey, SkewTime, &EncryptPart ); if (!KERB_SUCCESS(KerbErr)) { __leave; }
//
// Unpack Authenticator.
//
KerbErr = KerbUnpackAuthenticator( &EncryptPart->key, EncryptedAuthenticator, KdcRequest, Authenticator ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN,"KerbUnpackAuthenticator failed: 0x%x\n", KerbErr) ); __leave; }
//
// Check the contents of the authenticator
//
if ((*Authenticator)->authenticator_version != KERBEROS_VERSION) { DebugLog(( DEB_WARN, "Authenticator has bad version %d\n", (*Authenticator)->authenticator_version )); KerbErr = KRB_AP_ERR_BADVERSION; __leave; }
if (!KerbComparePrincipalNames( &EncryptPart->client_name, &(*Authenticator)->client_name ) || !KerbCompareRealmNames( &EncryptPart->client_realm, &(*Authenticator)->client_realm ) ) { DebugLog(( DEB_WARN, "Authenticator principal != ticket principal\n")); KerbErr = KRB_AP_ERR_BADMATCH; __leave; }
//
// Make sure the authenticator isn't a repeat, or too old.
//
if (CheckForReplay) { KerbConvertGeneralizedTimeToLargeInt( &AuthenticatorTime, &(*Authenticator)->client_time, (*Authenticator)->client_usec );
KerbErr = (KERBERR) AuthenticatorList->Check( EncryptedAuthenticator->cipher_text.value, EncryptedAuthenticator->cipher_text.length, NULL, 0, &AuthenticatorTime, TRUE ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN,"Failed authenticator check: 0x%x\n",KerbErr)); __leave; } } } __except(EXCEPTION_EXECUTE_HANDLER) { // Any exceptions are likely from bad ticket data being unmarshalled.
DebugLog(( DEB_WARN, "Exception 0x%X in KerbCheckTicket (likely bad ticket or auth.\n", GetExceptionCode() )); KerbErr = KRB_AP_ERR_BADVERSION; }
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } //
// Extract the correct session key. If the Sub-session key in the
// Authenticator is present, use it. Otherwise, use the session key
// from the ticket.
//
if (((*Authenticator)->bit_mask & KERB_AUTHENTICATOR_subkey_present) != 0) { D_DebugLog(( DEB_TRACE, "Using sub session key from authenticator.\n" )); KerbErr = KerbDuplicateKey( pkSessionKey, &(*Authenticator)->KERB_AUTHENTICATOR_subkey ); *UseSubKey = TRUE; } else { KerbErr = KerbDuplicateKey( pkSessionKey, &EncryptPart->key ); } if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// The reply has to be encrypted with the ticket key, not the new
// session key
//
if (ARGUMENT_PRESENT(pkTicketKey)) { KerbErr = KerbDuplicateKey( pkTicketKey, &EncryptPart->key ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; } }
*EncryptTicket = EncryptPart; EncryptPart = NULL;
Cleanup: if (EncryptPart != NULL) { KerbFreeTicket(EncryptPart); } if (!KERB_SUCCESS(KerbErr)) { KerbFreeKey(pkSessionKey); if (ARGUMENT_PRESENT(pkTicketKey)) { KerbFreeKey(pkTicketKey); } }
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbDuplicateSid
//
// Synopsis: Duplicates a SID
//
// Effects: allocates memory with LsaFunctions.AllocateLsaHeap
//
// Arguments: DestinationSid - Receives a copy of the SourceSid
// SourceSid - SID to copy
//
// Requires:
//
// Returns: STATUS_SUCCESS - the copy succeeded
// STATUS_INSUFFICIENT_RESOURCES - the call to allocate memory
// failed
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbDuplicateSid( OUT PSID * DestinationSid, IN PSID SourceSid ){ ULONG SidSize;
if (!RtlValidSid(SourceSid)) { return STATUS_INVALID_PARAMETER; }
DsysAssert(RtlValidSid(SourceSid));
SidSize = RtlLengthSid(SourceSid); *DestinationSid = (PSID) MIDL_user_allocate( SidSize ); if (*DestinationSid == NULL) { return(STATUS_INSUFFICIENT_RESOURCES); } RtlCopyMemory( *DestinationSid, SourceSid, SidSize ); return(STATUS_SUCCESS);}
#endif // WIN32_CHICAGO
//
// Ticket pack/unpack code.
//
struct BufferState{ PBYTE pbBufferPointer; ULONG cbBufferSize;};
static voidAllocFcn( void * pvState, char ** ppbOut, unsigned int * pulSize ){ BufferState* state = (BufferState*) pvState;
//
// MIDL pickling calls this routine with the size of the object
// obtained by _GetSize(). This routine must return a buffer in
// ppbOut with at least *pulSize bytes.
//
DsysAssert( state->pbBufferPointer != NULL ); DsysAssert( state->cbBufferSize >= *pulSize );
*ppbOut = (char*)state->pbBufferPointer; state->pbBufferPointer += *pulSize; state->cbBufferSize -= *pulSize;}
static voidWriteFcn( void * pvState, char * pbOut, unsigned int ulSize ){ //
// Since the data was pickled directly to the target buffer, don't
// do anything here.
//
}
static voidReadFcn( void * pvState, char ** ppbOut, unsigned int * pulSize ){ BufferState* state = (BufferState*) pvState;
//
// MIDL pickling calls this routine with the size to read.
// This routine must return a buffer in ppbOut which contains the
// encoded data.
//
DsysAssert( state->pbBufferPointer != NULL ); DsysAssert( state->cbBufferSize >= *pulSize );
*ppbOut = (char*)state->pbBufferPointer; state->pbBufferPointer += *pulSize; state->cbBufferSize -= *pulSize;}
//+---------------------------------------------------------------------------
//
// Function: KerbPackTicket
//
// Synopsis: Packs a KerbInternalTicket to a KerbTicket
//
// Effects: Allocates the KerbTicket via MIDL.
//
// Arguments: [InternalTicket] -- Internal ticket to pack. Those fields
// reused in the packed ticket are zeroed.
// [pkKey] -- Key to pack it with
// [EncryptionType] -- Encryption type to use
// [PackedTicket] -- (out) encrypted ticket. Only the encrypt_part
// is allocated.
//
// History: 08-Jun-93 WadeR Created
//
// Notes: The MES encoding needs to be changed to ASN1 encoding
//
//----------------------------------------------------------------------------
KERBERR NTAPIKerbPackTicket( IN PKERB_TICKET InternalTicket, IN PKERB_ENCRYPTION_KEY pkKey, IN ULONG EncryptionType, OUT PKERB_TICKET PackedTicket ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_TICKET OutputTicket = 0; PKERB_ENCRYPTED_TICKET EncryptedTicket = NULL; ULONG cbEncryptedPart; KERB_TICKET TemporaryTicket; PUCHAR MarshalledEncryptPart = NULL; ULONG EncryptionOverhead; ULONG BlockSize;
//
// Pack the data into the encrypted portion.
//
RtlZeroMemory( &TemporaryTicket, sizeof(KERB_TICKET) );
EncryptedTicket = (PKERB_ENCRYPTED_TICKET) InternalTicket->encrypted_part.cipher_text.value;
KerbErr = KerbPackData( EncryptedTicket, KERB_ENCRYPTED_TICKET_PDU, &cbEncryptedPart, &MarshalledEncryptPart );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to marshall ticket: 0x%x\n",KerbErr)); goto Cleanup; }
//
// And encrypt it.
//
TemporaryTicket = *InternalTicket;
RtlZeroMemory( &InternalTicket->realm, sizeof(KERB_REALM) );
RtlZeroMemory( &InternalTicket->server_name, sizeof(KERB_PRINCIPAL_NAME) );
KerbErr = KerbAllocateEncryptionBufferWrapper( EncryptionType, cbEncryptedPart, &TemporaryTicket.encrypted_part.cipher_text.length, &TemporaryTicket.encrypted_part.cipher_text.value );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbEncryptDataEx( &TemporaryTicket.encrypted_part, cbEncryptedPart, MarshalledEncryptPart, EncryptionType, KERB_TICKET_SALT, pkKey );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to encrypt data: 0x%x\n",KerbErr)); goto Cleanup; }
*PackedTicket = TemporaryTicket;
Cleanup: if (MarshalledEncryptPart != NULL) { MIDL_user_free(MarshalledEncryptPart); }
if (!KERB_SUCCESS(KerbErr)) { if (TemporaryTicket.encrypted_part.cipher_text.value != NULL) { MIDL_user_free(TemporaryTicket.encrypted_part.cipher_text.value); }
} return(KerbErr);}
//+---------------------------------------------------------------------------
//
// Function: KerbUnpackTicket
//
// Synopsis: Decrypts and unpacks the encyrpted part of aticket.
//
// Effects: Allocates memory, decrypts pktTicket in place
//
// Arguments: [PackedTicket] -- ticket to unpack
// [PackedTicketSize] -- length of packed ticket
// [pkKey] -- key to unpack it with
// [InternalTicket] -- (out) unpacked ticket
//
// Returns: KDC_ERR_NONE or error from decrypt
//
// Signals: Any exception the MIDL unpacking code throws.
//
// History: 09-Jun-93 WadeR Created
//
// Notes: Free InternalTicket with KerbFreeTicket, below.
//
//----------------------------------------------------------------------------
KERBERR NTAPIKerbUnpackTicket( IN PKERB_TICKET PackedTicket, IN PKERB_ENCRYPTION_KEY pkKey, OUT PKERB_ENCRYPTED_TICKET * InternalTicket ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_TICKET DecryptedTicket = NULL; PUCHAR EncryptedPart = NULL; ULONG EncryptSize; PKERB_ENCRYPTED_TICKET EncryptedTicket = NULL;
//
// Now decrypt the encrypted part of the ticket
//
EncryptedPart = (PUCHAR) MIDL_user_allocate(PackedTicket->encrypted_part.cipher_text.length); if (EncryptedPart == NULL) { return(KRB_ERR_GENERIC); }
EncryptSize = PackedTicket->encrypted_part.cipher_text.length; KerbErr = KerbDecryptDataEx( &PackedTicket->encrypted_part, pkKey, KERB_TICKET_SALT, &EncryptSize, EncryptedPart );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to decrypt ticket: 0x%x\n",KerbErr)); goto Cleanup; }
KerbErr = KerbUnpackData( EncryptedPart, EncryptSize, KERB_ENCRYPTED_TICKET_PDU, (PVOID *) &EncryptedTicket ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to unmarshall ticket: 0x%x\n",KerbErr)); goto Cleanup; }
*InternalTicket = EncryptedTicket;Cleanup: if (EncryptedPart != NULL) { MIDL_user_free(EncryptedPart); } return(KerbErr);}
//+---------------------------------------------------------------------------
//
// Function: KerbCreateAuthenticator
//
// Synopsis: Creates an authenticator for a client to pass to a service
//
// Effects: Encrypts pedAuthenticator
//
// Arguments: [pkKey] -- (in) session key from the ticket this
// authenticator is for.
// [dwEncrType] -- (in) Desired encryption type
// [dwSeq] -- (in) nonce for authenticator
// [ClientName] -- (in) name of principal
// [ClientRealm] -- (in) logon realm of principal
// [SkewTime] -- (in) Skew of server's time
// [pkSubKey] -- (in) desired sub key (may be NULL)
// [GssChecksum] -- (in) optional checksum message to put in authenticator
// [KdcRequest] -- (in) If TRUE, this is an authenticator for a KDC request
// and we use a different salt
// [Authenticator]-- (out) completed authenticator
//
// History: 4-28-93 WadeR Created
//
// Notes: If pkKey is NULL, a null subkey is used.
//
//
//----------------------------------------------------------------------------
KERBERR NTAPIKerbCreateAuthenticator( IN PKERB_ENCRYPTION_KEY pkKey, IN ULONG EncryptionType, IN ULONG SequenceNumber, IN PKERB_INTERNAL_NAME ClientName, IN PUNICODE_STRING ClientRealm, IN OPTIONAL PTimeStamp SkewTime, IN PKERB_ENCRYPTION_KEY pkSubKey, IN OPTIONAL PKERB_CHECKSUM GssChecksum, IN BOOLEAN KdcRequest, OUT PKERB_ENCRYPTED_DATA Authenticator ){ KERB_AUTHENTICATOR InternalAuthenticator; PKERB_AUTHENTICATOR AuthPointer = &InternalAuthenticator; ULONG cbAuthenticator; ULONG cbTotal; PUCHAR PackedAuthenticator = NULL; KERBERR KerbErr = KDC_ERR_NONE; TimeStamp TimeToUse; ULONG EncryptionOverhead; ULONG BlockSize;
Authenticator->cipher_text.value = NULL;
RtlZeroMemory( &InternalAuthenticator, sizeof(KERB_AUTHENTICATOR) );
// Build an authenticator
InternalAuthenticator.authenticator_version = KERBEROS_VERSION;
// Use "InitString" because we will marshall and then discard the
// InternalAthenticator. Therefore it's not a problem having the
// string point to memory we don't own.
KerbErr = KerbConvertUnicodeStringToRealm( &InternalAuthenticator.client_realm, ClientRealm ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbConvertKdcNameToPrincipalName( &InternalAuthenticator.client_name, ClientName ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Stick the correct time in the authenticator
//
GetSystemTimeAsFileTime((PFILETIME)&TimeToUse); if (ARGUMENT_PRESENT(SkewTime)) {#ifndef WIN32_CHICAGO
TimeToUse.QuadPart += SkewTime->QuadPart;#else // WIN32_CHICAGO
TimeToUse += *SkewTime;#endif // WIN32_CHICAGO
}
KerbConvertLargeIntToGeneralizedTimeWrapper( &InternalAuthenticator.client_time, &InternalAuthenticator.client_usec, &TimeToUse );
InternalAuthenticator.bit_mask |= KERB_AUTHENTICATOR_sequence_number_present;
ASN1intx_setuint32( &InternalAuthenticator.KERB_AUTHENTICATOR_sequence_number, SequenceNumber ); if (InternalAuthenticator.KERB_AUTHENTICATOR_sequence_number.value == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
if (ARGUMENT_PRESENT(pkSubKey)) { InternalAuthenticator.bit_mask |= KERB_AUTHENTICATOR_subkey_present; InternalAuthenticator.KERB_AUTHENTICATOR_subkey = *pkSubKey; }
//
// If the GSS checksum is present, include it and set it in the bitmask
//
if (ARGUMENT_PRESENT(GssChecksum)) { InternalAuthenticator.checksum = *GssChecksum; InternalAuthenticator.bit_mask |= checksum_present; }
KerbErr = KerbPackData( AuthPointer, KERB_AUTHENTICATOR_PDU, &cbAuthenticator, &PackedAuthenticator );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to marshall authenticator: 0x%x\n",KerbErr)); goto Cleanup; }
//
// Now we need to encrypt the buffer
//
KerbErr = KerbAllocateEncryptionBufferWrapper( EncryptionType, cbAuthenticator, &Authenticator->cipher_text.length, &Authenticator->cipher_text.value );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbEncryptDataEx( Authenticator, cbAuthenticator, PackedAuthenticator, EncryptionType, KdcRequest ? KERB_TGS_REQ_AP_REQ_AUTH_SALT : KERB_AP_REQ_AUTH_SALT, pkKey ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to encrypt data: 0x%x\n",KerbErr)); goto Cleanup; }
Cleanup: KerbFreePrincipalName(&InternalAuthenticator.client_name); KerbFreeRealm(&InternalAuthenticator.client_realm); if (InternalAuthenticator.KERB_AUTHENTICATOR_sequence_number.value != NULL) { ASN1intx_free(&InternalAuthenticator.KERB_AUTHENTICATOR_sequence_number); } if (PackedAuthenticator != NULL) { MIDL_user_free(PackedAuthenticator);
} return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbUnpackAuthenticator
//
// Synopsis: Unpacks and decrypts an authenticator
//
// Effects: allocates memory for output authenticator
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR NTAPIKerbUnpackAuthenticator( IN PKERB_ENCRYPTION_KEY Key, IN PKERB_ENCRYPTED_DATA EncryptedAuthenticator, IN BOOLEAN KdcRequest, OUT PKERB_AUTHENTICATOR * Authenticator ){ KERBERR KerbErr = KDC_ERR_NONE; PUCHAR EncryptedPart; ULONG EncryptedSize; ULONG Pdu = KERB_AUTHENTICATOR_PDU;
*Authenticator = NULL; //
// Decrypt it
//
EncryptedPart = (PUCHAR) MIDL_user_allocate(EncryptedAuthenticator->cipher_text.length); if (EncryptedPart == NULL) { return(KRB_ERR_GENERIC); }
EncryptedSize = EncryptedAuthenticator->cipher_text.length; KerbErr = KerbDecryptDataEx( EncryptedAuthenticator, Key, KdcRequest ? KERB_TGS_REQ_AP_REQ_AUTH_SALT : KERB_AP_REQ_AUTH_SALT, &EncryptedSize, EncryptedPart );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to decrypt authenticator: 0x%x\n",KerbErr)); goto Cleanup; }
//
// Unpack it
//
KerbErr = KerbUnpackData( EncryptedPart, EncryptedSize, Pdu, (PVOID *) Authenticator ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to unmarshall authenticator: 0x%x\n",KerbErr)); goto Cleanup; }
Cleanup: if (EncryptedPart != NULL) { MIDL_user_free(EncryptedPart); } if (!KERB_SUCCESS(KerbErr) && (*Authenticator != NULL)) { MIDL_user_free(*Authenticator); *Authenticator = NULL; } return(KerbErr);}
//
// KDC Reply stuff
//
//+-------------------------------------------------------------------------
//
// Function: KerbPackKdcReplyBody
//
// Synopsis: Marshalls a the body of a KDC reply
//
// Effects: allocates value of encrypted reply
//
// Arguments: ReplyBody - The reply body to marshall
// Key - The key to encrypt the reply
// EncryptionType - the algorithm to encrypt with
// Pdu - Pdu to pack with, eith AS or TGS reply
// EncryptedReplyBody - receives the encrypted and marshalled reply
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR NTAPIKerbPackKdcReplyBody( IN PKERB_ENCRYPTED_KDC_REPLY ReplyBody, IN PKERB_ENCRYPTION_KEY Key, IN ULONG EncryptionType, IN ULONG Pdu, OUT PKERB_ENCRYPTED_DATA EncryptedReply ){ KERBERR KerbErr = KDC_ERR_NONE; ULONG BodySize; ULONG EncryptionOverhead; PUCHAR MarshalledReply = NULL; ULONG TotalSize; ULONG BlockSize = 0;
EncryptedReply->cipher_text.value = NULL;
KerbErr = KerbPackData( ReplyBody, Pdu, &BodySize, &MarshalledReply );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to marshall kdc reply body: 0x%x\n",KerbErr)); goto Cleanup; }
//
// Now we need to encrypt this into the encrypted data structure.
//
//
// First get the overhead size
//
KerbErr = KerbGetEncryptionOverhead( EncryptionType, &EncryptionOverhead, &BlockSize ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
DsysAssert(BlockSize <= 8);
TotalSize = ROUND_UP_COUNT(EncryptionOverhead + BodySize, BlockSize);
EncryptedReply->cipher_text.length = TotalSize; EncryptedReply->cipher_text.value = (PUCHAR) MIDL_user_allocate(TotalSize); if (EncryptedReply->cipher_text.value == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; }
//
// Now encrypt the buffer
//
KerbErr = KerbEncryptDataEx( EncryptedReply, BodySize, MarshalledReply, EncryptionType, (Pdu == KERB_AS_REPLY_PDU) ? KERB_AS_REP_SALT : KERB_TGS_REP_SALT, Key );
#ifndef USE_FOR_CYBERSAFE
EncryptedReply->version = 1; EncryptedReply->bit_mask |= version_present;#endif
Cleanup: if (MarshalledReply != NULL) { MIDL_user_free(MarshalledReply); } if (!KERB_SUCCESS(KerbErr) && (EncryptedReply->cipher_text.value != NULL)) { MIDL_user_free(EncryptedReply->cipher_text.value); EncryptedReply->cipher_text.value = NULL; } return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbUnpackKdcReplyBody
//
// Synopsis: Unpacks a KDC reply body
//
// Effects:
//
// Arguments: EncryptedReplyBody - an encrypted marshalled reply body.
// Key - Key to decrypt the reply.
// Pdu - PDU of reply body (eithe AS or TGS)
// ReplyBody - receives the decrypted reply body, allocated with
// MIDL_user_allocate.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR NTAPIKerbUnpackKdcReplyBody( IN PKERB_ENCRYPTED_DATA EncryptedReplyBody, IN PKERB_ENCRYPTION_KEY Key, IN ULONG Pdu, OUT PKERB_ENCRYPTED_KDC_REPLY * ReplyBody ){ KERBERR KerbErr = KDC_ERR_NONE; PUCHAR MarshalledReply = NULL; ULONG ReplySize;
*ReplyBody = NULL; MarshalledReply = (PUCHAR) MIDL_user_allocate(EncryptedReplyBody->cipher_text.length);
if (MarshalledReply == NULL) { return(KRB_ERR_GENERIC); }
//
// First decrypt the buffer
//
ReplySize = EncryptedReplyBody->cipher_text.length; KerbErr = KerbDecryptDataEx( EncryptedReplyBody, Key, (Pdu == KERB_AS_REPLY_PDU) ? KERB_AS_REP_SALT : KERB_TGS_REP_SALT, &ReplySize, MarshalledReply );
if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbUnpackData( MarshalledReply, ReplySize, Pdu, (PVOID *) ReplyBody );
if (!KERB_SUCCESS(KerbErr)) {
//
// MIT KDCs send back TGS reply bodies instead of AS reply bodies
// so try TGS here
//
if (Pdu == KERB_ENCRYPTED_AS_REPLY_PDU) { KerbErr = KerbUnpackData( MarshalledReply, ReplySize, KERB_ENCRYPTED_TGS_REPLY_PDU, (PVOID *) ReplyBody );
} if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to unmarshall kdc reply body: 0x%x\n",KerbErr)); goto Cleanup; }
}Cleanup: if (MarshalledReply != NULL) { MIDL_user_free(MarshalledReply); } if (!KERB_SUCCESS(KerbErr) && (*ReplyBody != NULL)) { MIDL_user_free(*ReplyBody); *ReplyBody = NULL; } return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbFindAuthDataEntry
//
// Synopsis: Finds a specific entry in an authorization data structure
//
// Effects:
//
// Arguments: EntryId - ID of the entry to locate
// AuthData - the authorization data to search
//
// Requires:
//
// Returns: NULL if it wasn't found of the auth data entry
//
// Notes:
//
//
//--------------------------------------------------------------------------
PKERB_AUTHORIZATION_DATAKerbFindAuthDataEntry( IN ULONG EntryId, IN PKERB_AUTHORIZATION_DATA AuthData ){ PKERB_AUTHORIZATION_DATA TempData = AuthData;
while (TempData != NULL) { if (TempData->value.auth_data_type == (int) EntryId) { break; } TempData = TempData->next; } return(TempData);}
//+-------------------------------------------------------------------------
//
// Function: KerbFindPreAuthDataEntry
//
// Synopsis: Finds a specific entry in an authorization data structure
//
// Effects:
//
// Arguments: EntryId - ID of the entry to locate
// AuthData - the authorization data to search
//
// Requires:
//
// Returns: NULL if it wasn't found of the auth data entry
//
// Notes:
//
//
//--------------------------------------------------------------------------
PKERB_PA_DATAKerbFindPreAuthDataEntry( IN ULONG EntryId, IN PKERB_PA_DATA_LIST AuthData ){ PKERB_PA_DATA_LIST TempData = AuthData;
while (TempData != NULL) { if (TempData->value.preauth_data_type == (int) EntryId) { break; } TempData = TempData->next; } return(TempData != NULL ? &TempData->value : NULL);}
//+-------------------------------------------------------------------------
//
// Function: KerbFreePreAuthData
//
// Synopsis: Frees a pa-data list
//
// Effects:
//
// Arguments: PreAuthData - data to free
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreePreAuthData( IN OPTIONAL PKERB_PA_DATA_LIST PreAuthData ){ PKERB_PA_DATA_LIST Next,Last;
Next = PreAuthData;
while (Next != NULL) { Last = Next->next; if (Next->value.preauth_data.value != NULL) { MIDL_user_free(Next->value.preauth_data.value); } MIDL_user_free(Next); Next = Last; }}
//+-------------------------------------------------------------------------
//
// Function: KerbFreeAuthData
//
// Synopsis: Frees and auth data structure that was allocated in
// pieces
//
// Effects: frees with MIDL_user_Free
//
// Arguments: AuthData - the auth data to free
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreeAuthData( IN PKERB_AUTHORIZATION_DATA AuthData ){ PKERB_AUTHORIZATION_DATA TempData1,TempData2;
TempData1 = AuthData; while (TempData1 != NULL) { TempData2 = TempData1->next; if (TempData1->value.auth_data.value != NULL) { MIDL_user_free(TempData1->value.auth_data.value); } MIDL_user_free(TempData1); TempData1 = TempData2; }}
//+-------------------------------------------------------------------------
//
// Function: KerbCopyAndAppendAuthData
//
// Synopsis: copies the elements from the input auth data and appends
// them to the end of the output auth data.
//
// Effects: allocates each auth data with MIDL_user_allocate
//
// Arguments: OutputAuthData - receives list of append auth data
// InputAuthData - optionally contains auth data to append
//
// Requires:
//
// Returns: KDC_ERR_NONE or KRB_ERR_GENERIC;
//
// Notes: on failure output auth data will be freed and set to NULL.
//
//
//--------------------------------------------------------------------------
KERBERRKerbCopyAndAppendAuthData( OUT PKERB_AUTHORIZATION_DATA * OutputAuthData, IN PKERB_AUTHORIZATION_DATA InputAuthData ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_AUTHORIZATION_DATA *LastEntry = OutputAuthData; PKERB_AUTHORIZATION_DATA TempEntry = NULL;
//
// Find the end of the list
//
while (*LastEntry != NULL) { LastEntry = &((*LastEntry)->next); }
while (InputAuthData != NULL) { //
// copy the existing entry
//
TempEntry = (PKERB_AUTHORIZATION_DATA) MIDL_user_allocate(sizeof(KERB_AUTHORIZATION_DATA)); if (TempEntry == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } TempEntry->value.auth_data.length = InputAuthData->value.auth_data.length; TempEntry->value.auth_data_type = InputAuthData->value.auth_data_type; TempEntry->next = NULL;
TempEntry->value.auth_data.value = (PUCHAR) MIDL_user_allocate(InputAuthData->value.auth_data.length);
if (TempEntry->value.auth_data.value == NULL) { MIDL_user_free(TempEntry); goto Cleanup; }
RtlCopyMemory( TempEntry->value.auth_data.value, InputAuthData->value.auth_data.value, InputAuthData->value.auth_data.length );
//
// add it to the end of the list
//
*LastEntry = TempEntry; LastEntry = &TempEntry->next; InputAuthData = InputAuthData->next; }
KerbErr = KDC_ERR_NONE;
Cleanup: if (!KERB_SUCCESS(KerbErr)) { KerbFreeAuthData(*OutputAuthData); *OutputAuthData = NULL; } return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbConvertCryptListToArray
//
// Synopsis: Converts a linked-list crypt vector to an array of ULONGs
//
// Effects: allocates return with MIDL_user_allocate
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbConvertCryptListToArray( OUT PULONG * ETypeArray, OUT PULONG ETypeCount, IN PKERB_CRYPT_LIST CryptList )
{ KERBERR Status = KDC_ERR_NONE; PKERB_CRYPT_LIST NextEType; ULONG ClientETypeCount; PULONG ClientETypes = NULL;
//
// Build a vector of the client encrypt types
//
NextEType = CryptList;
ClientETypeCount = 0; while (NextEType != NULL) { ClientETypeCount++; NextEType = NextEType->next; }
ClientETypes = (PULONG) MIDL_user_allocate(sizeof(ULONG) * ClientETypeCount); if (ClientETypes == NULL) { Status = KRB_ERR_GENERIC; goto Cleanup; }
NextEType = CryptList;
ClientETypeCount = 0; while (NextEType != NULL) { ClientETypes[ClientETypeCount] = NextEType->value; ClientETypeCount++; NextEType = NextEType->next; } *ETypeCount = ClientETypeCount; *ETypeArray = ClientETypes;
Cleanup: return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: KerbConvertArrayToCryptList
//
// Synopsis: Converts an array of encryption to types to a linked list
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbConvertArrayToCryptList( OUT PKERB_CRYPT_LIST * CryptList, IN PULONG ETypeArray, IN ULONG ETypeCount ){ KERBERR KerbErr = KDC_ERR_NONE; ULONG Index; PKERB_CRYPT_LIST ListHead = NULL; PKERB_CRYPT_LIST ListTail = NULL; PKERB_CRYPT_LIST NewListEntry = NULL;
//
// If there no encryption types, bail out now.
//
if (ETypeCount == 0) { *CryptList = NULL; return(KDC_ERR_NONE); }
for (Index = 0; Index < ETypeCount ; Index++ ) { NewListEntry = (PKERB_CRYPT_LIST) MIDL_user_allocate(sizeof(KERB_CRYPT_LIST)); if (NewListEntry == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } NewListEntry->value = ETypeArray[Index]; NewListEntry->next = NULL; if (ListTail != NULL) { ListTail->next = NewListEntry; } else { DsysAssert(ListHead == NULL); ListHead = NewListEntry; } ListTail = NewListEntry; }
*CryptList = ListHead; ListHead = NULL;
Cleanup: while (ListHead != NULL) { NewListEntry = ListHead->next; MIDL_user_free(ListHead); ListHead = NewListEntry; }
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbConvertKeysToCryptList
//
// Synopsis: Converts an array of keys to types to a linked list
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbConvertKeysToCryptList( OUT PKERB_CRYPT_LIST * CryptList, IN PKERB_STORED_CREDENTIAL Keys ){ KERBERR KerbErr = KDC_ERR_NONE; ULONG Index; PKERB_CRYPT_LIST ListHead = NULL; PKERB_CRYPT_LIST ListTail = NULL; PKERB_CRYPT_LIST NewListEntry = NULL;
//
// If there no encryption types, bail out now.
//
if (Keys->CredentialCount == 0) { *CryptList = NULL; return(KDC_ERR_NONE); }
for (Index = 0; Index < Keys->CredentialCount ; Index++ ) { NewListEntry = (PKERB_CRYPT_LIST) MIDL_user_allocate(sizeof(KERB_CRYPT_LIST)); if (NewListEntry == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } NewListEntry->value = Keys->Credentials[Index].Key.keytype; NewListEntry->next = NULL; if (ListTail != NULL) { ListTail->next = NewListEntry; } else { DsysAssert(ListHead == NULL); ListHead = NewListEntry; } ListTail = NewListEntry; }
*CryptList = ListHead; ListHead = NULL;
Cleanup: while (ListHead != NULL) { NewListEntry = ListHead->next; MIDL_user_free(ListHead); ListHead = NewListEntry; }
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbFreeCryptList
//
// Synopsis: Frees a list of crypt types
//
// Effects:
//
// Arguments: CryptList - List to free
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreeCryptList( IN PKERB_CRYPT_LIST CryptList ){ PKERB_CRYPT_LIST ListHead = CryptList; PKERB_CRYPT_LIST NewListEntry;
while (ListHead != NULL) { NewListEntry = ListHead->next; MIDL_user_free(ListHead); ListHead = NewListEntry; }
}
//+-------------------------------------------------------------------------
//
// Function: KerbCreateApRequest
//
// Synopsis: builds an AP request message
//
// Effects: allocates memory with MIDL_user_allocate
//
// Arguments: ClientName - Name of client
// ClientRealm - Realm of client
// SessionKey - Session key for the ticket
// SubSessionKey - obtional sub Session key for the authenticator
// Nonce - Nonce to use in authenticator
// ServiceTicket - Ticket for service to put in request
// ApOptions - Options to stick in AP request
// GssChecksum - Checksum for GSS compatibility containing
// context options and delegation info.
// KdcRequest - if TRUE, this is an AP request for a TGS req
// ServerSkewTime - Optional skew of server's time
// RequestSize - Receives size of the marshalled request
// Request - Receives the marshalled request
//
// Requires:
//
// Returns: KDC_ERR_NONE on success, KRB_ERR_GENERIC on memory or
// marshalling failure
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbCreateApRequest( IN PKERB_INTERNAL_NAME ClientName, IN PUNICODE_STRING ClientRealm, IN PKERB_ENCRYPTION_KEY SessionKey, IN OPTIONAL PKERB_ENCRYPTION_KEY SubSessionKey, IN ULONG Nonce, IN PKERB_TICKET ServiceTicket, IN ULONG ApOptions, IN OPTIONAL PKERB_CHECKSUM GssChecksum, IN OPTIONAL PTimeStamp ServerSkewTime, IN BOOLEAN KdcRequest, OUT PULONG RequestSize, OUT PUCHAR * Request ){ KERBERR KerbErr = KDC_ERR_NONE; KERB_AP_REQUEST ApRequest; ULONG ApFlags;
*Request = NULL; RtlZeroMemory( &ApRequest, sizeof(KERB_AP_REQUEST) );
//
// Fill in the AP request structure.
//
ApRequest.version = KERBEROS_VERSION; ApRequest.message_type = KRB_AP_REQ; ApFlags = KerbConvertUlongToFlagUlong(ApOptions); ApRequest.ap_options.value = (PUCHAR) &ApFlags; ApRequest.ap_options.length = sizeof(ULONG) * 8; ApRequest.ticket = *ServiceTicket;
//
// Create the authenticator for the request
//
KerbErr = KerbCreateAuthenticator( SessionKey, SessionKey->keytype, Nonce, ClientName, ClientRealm, ServerSkewTime, SubSessionKey, GssChecksum, KdcRequest, &ApRequest.authenticator ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to build authenticator: 0x%x\n", KerbErr )); goto Cleanup; }
//
// Now marshall the request
//
KerbErr = KerbPackApRequest( &ApRequest, RequestSize, Request );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"Failed to pack AP request: 0x%x\n",KerbErr)); goto Cleanup; }
Cleanup: if (ApRequest.authenticator.cipher_text.value != NULL) { MIDL_user_free(ApRequest.authenticator.cipher_text.value); } return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbInitAsn
//
// Synopsis: Initializes asn1 marshalling code
//
// Effects:
//
// Arguments: none
//
// Requires:
//
// Returns: KDC_ERR_NONE on success, KRB_ERR_GENERIC on failure
//
// Notes:
//
//
//--------------------------------------------------------------------------
BOOL fKRB5ModuleStarted = FALSE;
KERBERRKerbInitAsn( IN OUT ASN1encoding_t * pEnc, IN OUT ASN1decoding_t * pDec ){ int Result; KERBERR KerbErr = KRB_ERR_GENERIC; ASN1error_e Asn1Err;
if (!fKRB5ModuleStarted) { fKRB5ModuleStarted = TRUE; KRB5_Module_Startup(); }
if (pEnc != NULL) { Asn1Err = ASN1_CreateEncoder( KRB5_Module, pEnc, NULL, // pbBuf
0, // cbBufSize
NULL // pParent
); } else { Asn1Err = ASN1_CreateDecoder( KRB5_Module, pDec, NULL, // pbBuf
0, // cbBufSize
NULL // pParent
); }
if (ASN1_SUCCESS != Asn1Err) { DebugLog((DEB_ERROR, "Failed to init ASN1: 0x%x\n",Asn1Err)); goto Cleanup; }
KerbErr = KDC_ERR_NONE;
Cleanup:
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbTermAsn
//
// Synopsis: terminates an ASN world
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbTermAsn( IN ASN1encoding_t pEnc, IN ASN1decoding_t pDec ){ if (pEnc != NULL) { ASN1_CloseEncoder(pEnc); } else if (pDec != NULL) { ASN1_CloseDecoder(pDec); }
//KRB5_Module_Cleanup();
}
//+-------------------------------------------------------------------------
//
// Function: KerbPackData
//
// Synopsis: Packs a datatype using ASN.1 encoding
//
// Effects: allocates memory with MIDL_user_allocate
//
// Arguments: Data - The message to marshall/pack.
// PduValue - The PDU for the message type
// DataSize - receives the size of the marshalled message in
// bytes.
// MarshalledData - receives a pointer to the marshalled
// message buffer.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR NTAPIKerbPackData( IN PVOID Data, IN ULONG PduValue, OUT PULONG DataSize, OUT PUCHAR * MarshalledData ){ KERBERR KerbErr = KDC_ERR_NONE; int Result = 0; PUCHAR Buffer = NULL; ASN1encoding_t pEnc = NULL; ASN1error_e Asn1Err;
KerbErr = KerbInitAsn( &pEnc, // we are encoding
NULL ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
//
// Encode the data type.
//
D_DebugLog((DEB_TRACE,"encoding pdu #%d\n",PduValue)); Asn1Err = ASN1_Encode( pEnc, Data, PduValue, ASN1ENCODE_ALLOCATEBUFFER, NULL, // pbBuf
0 // cbBufSize
);
if (!ASN1_SUCCEEDED(Asn1Err)) { DebugLog((DEB_ERROR,"Failed to encode data: %d\n",Asn1Err)); KerbErr = KRB_ERR_GENERIC; goto Cleanup; } else { //
// when the oss compiler was used the allocation routines were configurable.
// therefore, the encoded data could just be free'd using our
// deallocator. in the new model we cannot configure the allocation routines
// for encoding.
// so we do not have to go and change every place where a free
// of an encoded buffer is done, use our allocator to allocate a new buffer,
// then copy the encoded data to it, and free the buffer that was allocated by
// the encoding engine. THIS SHOULD BE CHANGED FOR BETTER PERFORMANCE
//
*MarshalledData = (PUCHAR) MIDL_user_allocate(pEnc->len); if (*MarshalledData == NULL) { KerbErr = KRB_ERR_GENERIC; *DataSize = 0; } else { RtlCopyMemory(*MarshalledData, pEnc->buf, pEnc->len); *DataSize = pEnc->len;
}
ASN1_FreeEncoded(pEnc, pEnc->buf); }
Cleanup:
KerbTermAsn(pEnc, NULL);
return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbUnpackData
//
// Synopsis: Unpacks an message from the ASN.1 encoding
//
// Effects:
//
// Arguments: Data - Buffer containing the reply message.
// DataSize - Size of the reply message in bytes
// Reply - receives a KERB_ENCRYPTED_DATA structure allocated with
// MIDL_user_allocate.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR NTAPIKerbUnpackData( IN PUCHAR Data, IN ULONG DataSize, IN ULONG PduValue, OUT PVOID * DecodedData ){ int Result; ULONG OldPduValue; KERBERR KerbErr = KDC_ERR_NONE; ASN1decoding_t pDec = NULL; ASN1error_e Asn1Err;
if ((DataSize == 0) || (Data == NULL)) { DebugLog((DEB_ERROR,"Trying to unpack NULL data\n")); return(KRB_ERR_GENERIC); }
KerbErr = KerbInitAsn( NULL, &pDec // we are decoding
); if (!KERB_SUCCESS(KerbErr)) { return(KerbErr); }
*DecodedData = NULL; Asn1Err = ASN1_Decode( pDec, DecodedData, PduValue, ASN1DECODE_SETBUFFER, (BYTE *) Data, DataSize );
if (!ASN1_SUCCEEDED(Asn1Err)) {
if ((ASN1_ERR_BADARGS == Asn1Err) || (ASN1_ERR_EOD == Asn1Err)) { D_DebugLog((DEB_TRACE,"More input required to decode data %d.\n",PduValue)); KerbErr = KDC_ERR_MORE_DATA; } else { if (ASN1_ERR_BADTAG != Asn1Err) { DebugLog((DEB_ERROR,"Failed to decode data: %d\n", Asn1Err )); } KerbErr = KRB_ERR_GENERIC; } *DecodedData = NULL; }
KerbTermAsn(NULL, pDec);
return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KerbFreeData
//
// Synopsis: Frees a structure unpacked by the ASN1 decoder
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreeData( IN ULONG PduValue, IN PVOID Data ){ ASN1decoding_t pDec = NULL;
if (ARGUMENT_PRESENT(Data)) { KERBERR KerbErr; KerbErr = KerbInitAsn( NULL, &pDec // this is a decoded structure
);
if (KERB_SUCCESS(KerbErr)) { ASN1_FreeDecoded(pDec, Data, PduValue);
KerbTermAsn(NULL, pDec); } }
}
//+-------------------------------------------------------------------------
//
// Function: KerbFreeTicketExtensions
//
// Synopsis: Frees a host address allocated with KerbDuplicateTicketExtensions
//
// Effects:
//
// Arguments: Addresses - The name to free
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreeTicketExtensions( IN PKERB_TICKET_EXTENSIONS Extensions ){ PKERB_TICKET_EXTENSIONS Elem,NextElem;
Elem = Extensions; while (Elem != NULL) { if (Elem->value.te_data.value != NULL) { MIDL_user_free(Elem->value.te_data.value); } NextElem = Elem->next; MIDL_user_free(Elem); Elem = NextElem; }}
//+-------------------------------------------------------------------------
//
// Function: KerbDuplicateTicketExtensions
//
// Synopsis: duplicates the ticket extensions field from a ticket
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbDuplicateTicketExtensions( OUT PKERB_TICKET_EXTENSIONS * Dest, IN PKERB_TICKET_EXTENSIONS Source ){ KERBERR Status = KDC_ERR_NONE; PKERB_TICKET_EXTENSIONS SourceElem; PKERB_TICKET_EXTENSIONS DestElem; PKERB_TICKET_EXTENSIONS * NextElem;
*Dest = NULL;
SourceElem = Source; NextElem = Dest;
while (SourceElem != NULL) { DestElem = (PKERB_TICKET_EXTENSIONS) MIDL_user_allocate(sizeof(KERB_TICKET_EXTENSIONS)); if (DestElem == NULL) { Status = KRB_ERR_GENERIC; goto Cleanup; } *DestElem = *SourceElem; DestElem->value.te_data.value = (PUCHAR) MIDL_user_allocate(SourceElem->value.te_data.length); if (DestElem->value.te_data.value == NULL) { MIDL_user_free(DestElem); Status = KRB_ERR_GENERIC; goto Cleanup; } RtlCopyMemory( DestElem->value.te_data.value, SourceElem->value.te_data.value, SourceElem->value.te_data.length ); DestElem->next = NULL; *NextElem = DestElem; NextElem = &DestElem->next; SourceElem = SourceElem->next; }
Cleanup: if (!KERB_SUCCESS(Status)) { KerbFreeTicketExtensions(*Dest); *Dest = NULL; } return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: KerbDuplicateTicket
//
// Synopsis: Duplicates a ticket so the original may be freed
//
// Effects:
//
// Arguments: Dest - Destination, receives duplicate
// Source - Source ticket
//
// Requires:
//
// Returns: KDC_ERR_NONE or KRB_ERR_GENERIC;
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERR NTAPIKerbDuplicateTicket( OUT PKERB_TICKET Dest, IN PKERB_TICKET Source ){ KERBERR KerbErr = KDC_ERR_NONE; RtlZeroMemory( Dest, sizeof(KERB_TICKET) );
Dest->ticket_version = Source->ticket_version; KerbErr = KerbDuplicatePrincipalName( &Dest->server_name, &Source->server_name ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbDuplicateRealm( &Dest->realm, Source->realm ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
KerbErr = KerbDuplicateTicketExtensions( &Dest->ticket_extensions, Source->ticket_extensions ); if (!KERB_SUCCESS(KerbErr)) { goto Cleanup; }
Dest->encrypted_part = Source->encrypted_part; Dest->encrypted_part.cipher_text.value = (PUCHAR) MIDL_user_allocate(Dest->encrypted_part.cipher_text.length); if (Dest->encrypted_part.cipher_text.value == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } RtlCopyMemory( Dest->encrypted_part.cipher_text.value, Source->encrypted_part.cipher_text.value, Dest->encrypted_part.cipher_text.length );
Cleanup: if (!KERB_SUCCESS(KerbErr)) { KerbFreeDuplicatedTicket(Dest); } return(KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbFreeDuplicatedTicket
//
// Synopsis: Frees ticket duplicated with KerbDuplicateTicket
//
// Effects: frees memory
//
// Arguments: Ticket - ticket to free
//
// Requires:
//
// Returns: none
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreeDuplicatedTicket( IN PKERB_TICKET Ticket ){ KerbFreePrincipalName( &Ticket->server_name ); KerbFreeRealm( &Ticket->realm ); if (Ticket->encrypted_part.cipher_text.value != NULL) { MIDL_user_free(Ticket->encrypted_part.cipher_text.value); } KerbFreeTicketExtensions( Ticket->ticket_extensions );}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildErrorMessageEx
//
// Synopsis: Builds an error message
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns: marshalled error message, to be freed with MIDL_user_free
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbBuildErrorMessageEx( IN KERBERR ErrorCode, IN OPTIONAL PKERB_EXT_ERROR pExtendedError, IN PUNICODE_STRING ServerRealm, IN PKERB_INTERNAL_NAME ServerName, IN OPTIONAL PUNICODE_STRING ClientRealm, IN PBYTE ErrorData, IN ULONG ErrorDataSize, OUT PULONG ErrorMessageSize, OUT PUCHAR* ErrorMessage ){ KERBERR KerbErr = KDC_ERR_NONE; KERB_ERROR Error; KERB_TYPED_DATA Data = {0}; TimeStamp TimeNow;
*ErrorMessageSize = 0; *ErrorMessage = NULL;
GetSystemTimeAsFileTime( (PFILETIME) &TimeNow );
RtlZeroMemory( &Error, sizeof(KERB_ERROR) );
DsysAssert(ErrorCode != KDC_ERR_MORE_DATA);
Error.version = KERBEROS_VERSION; Error.message_type = KRB_ERROR;
KerbConvertLargeIntToGeneralizedTimeWrapper( &Error.server_time, &Error.server_usec, &TimeNow );
Error.error_code = ErrorCode;
//
// Ignore errors because this is already an error return
//
KerbConvertUnicodeStringToRealm( &Error.realm, ServerRealm );
if (ARGUMENT_PRESENT(ClientRealm) && (ClientRealm->Buffer != NULL)) { KerbConvertUnicodeStringToRealm( &Error.client_realm, ClientRealm );
Error.bit_mask |= client_realm_present; }
KerbConvertKdcNameToPrincipalName( &Error.server_name, ServerName );
//
// Small problem here. We may have preauth data that we want
// to return to the client, instead of extended errors. To
// avoid this, we just make sure that we only return extended
// errors if no ErrorData previously set.
//
if (ARGUMENT_PRESENT(ErrorData)) { Error.error_data.length = (int) ErrorDataSize; Error.error_data.value = ErrorData; Error.bit_mask |= error_data_present; } else if (ARGUMENT_PRESENT(pExtendedError) && !EXT_ERROR_SUCCESS((*pExtendedError))) { Data.data_type = TD_EXTENDED_ERROR;
KerbErr = KerbPackData( pExtendedError, KERB_EXT_ERROR_PDU, &Data.data_value.length, &Data.data_value.value );
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN, "KerbBuildErrorMessageEx failed To pack extended error %#x!\n", KerbErr)); goto Cleanup; }
Error.bit_mask |= error_data_present;
KerbErr = TypedDataListPushFront( NULL, &Data, &Error.error_data.length, &Error.error_data.value ); if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_WARN, "KerbBuildErrorMessageEx failed To pack typed data %#x!\n", KerbErr)); goto Cleanup; } }
KerbErr = KerbPackData( &Error, KERB_ERROR_PDU, ErrorMessageSize, ErrorMessage );
Cleanup:
KerbFreeRealm( &Error.realm );
KerbFreeRealm( &Error.client_realm );
KerbFreePrincipalName( &Error.server_name );
if (Data.data_value.value && Data.data_value.length) { MIDL_user_free(Data.data_value.value); }
if ((ErrorData != Error.error_data.value) && Error.error_data.value && Error.error_data.length) { MIDL_user_free(Error.error_data.value); }
return (KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbBuildExtendedError
//
// Synopsis: Packs the extended error data structure into a
// KERB_ERROR_METHOD_DATA structure for return to
// client
//
// Effects:
//
// Arguments: pExtendedError, pointer to extended error
//
// Requires:
//
// Returns: KERBERR to indicate successful packing
//
//--------------------------------------------------------------------------
KERBERRKerbBuildExtendedError( IN PKERB_EXT_ERROR pExtendedError, OUT PULONG ExtErrorSize, OUT PBYTE* ExtErrorData ){ KERB_ERROR_METHOD_DATA ErrorMethodData; KERBERR KerbErr;
ErrorMethodData.data_type = TD_EXTENDED_ERROR; ErrorMethodData.bit_mask |= data_value_present; ErrorMethodData.data_value.value = (PBYTE) pExtendedError; ErrorMethodData.data_value.length = sizeof(KERB_EXT_ERROR);
KerbErr = KerbPackData( &ErrorMethodData, KERB_EXT_ERROR_PDU, ExtErrorSize, ExtErrorData );
return (KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbGetKeyFromList
//
// Synopsis: Gets the key of the appropriate encryption type off the list
//
// Effects:
//
// Arguments: Passwords - list of keys
// EncryptionType - Encryption type to use
//
// Requires:
//
// Returns: The found key, or NULL if one wasn't found
//
// Notes:
//
//
//--------------------------------------------------------------------------
PKERB_ENCRYPTION_KEYKerbGetKeyFromList( IN PKERB_STORED_CREDENTIAL Passwords, IN ULONG EncryptionType ){ ULONG Index;
if (!ARGUMENT_PRESENT(Passwords)) { return(NULL); }
for (Index = 0; Index < Passwords->CredentialCount ; Index++ ) { if (Passwords->Credentials[Index].Key.keytype == (int) EncryptionType) { return(&Passwords->Credentials[Index].Key); } } return(NULL);}
//+-------------------------------------------------------------------------
//
// Function: KerbFindCommonCryptSystem
//
// Synopsis: Finds a common crypt system including availablity
// of passwords.
//
// Effects:
//
// Arguments: CryptList - List of client's crypto systems
// Passwords - List of passwords
// MorePassword - Optionally another list of passwords to consider
// CommonCryptSystem - Receives common crypo system ID
// Key - Receives key for common crypt system
//
// Requires:
//
// Returns: KDC_ERR_ETYPE_NOTSUPP if no common system can be found
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbFindCommonCryptSystem( IN PKERB_CRYPT_LIST CryptList, IN PKERB_STORED_CREDENTIAL Passwords, IN OPTIONAL PKERB_STORED_CREDENTIAL MorePasswords, OUT PULONG CommonCryptSystem, OUT PKERB_ENCRYPTION_KEY * Key ){ ULONG PasswordTypes[KERB_MAX_CRYPTO_SYSTEMS] = {0};
PULONG pCryptoSystems = NULL; ULONG CryptoSystems[KERB_MAX_CRYPTO_SYSTEMS]; ULONG PasswordCount; ULONG CryptoCount; ULONG Index; PKERB_CRYPT_LIST NextEType; ULONG Index2; ULONG KeyCount; KERBERR KerbErr = KDC_ERR_ETYPE_NOTSUPP;
if ((Passwords == NULL ) || (CryptList == NULL)) { DebugLog((DEB_ERROR, "Null password or crypt list passed to KerbFindCommonCryptSystem\n")); return(KDC_ERR_ETYPE_NOTSUPP); } PasswordCount = Passwords->CredentialCount;
if (PasswordCount >= KERB_MAX_CRYPTO_SYSTEMS) { D_DebugLog((DEB_ERROR, "Got more than 20 crypto systems in password list\n")); DsysAssert(PasswordCount < KERB_MAX_CRYPTO_SYSTEMS); return(KDC_ERR_ETYPE_NOTSUPP); }
KeyCount = 0; for (Index = 0; Index < PasswordCount ; Index++ ) {
if (ARGUMENT_PRESENT(MorePasswords)) { for (Index2 = 0; Index2 < MorePasswords->CredentialCount; Index2++ ) { if (Passwords->Credentials[Index].Key.keytype == MorePasswords->Credentials[Index2].Key.keytype) { PasswordTypes[KeyCount++] = (ULONG) Passwords->Credentials[Index].Key.keytype; break; } } } else { PasswordTypes[KeyCount++] = (ULONG) Passwords->Credentials[Index].Key.keytype; } }
CryptoCount = 0; NextEType = CryptList;
while (NextEType != NULL) { NextEType = NextEType->next; CryptoCount++;
// restrict to 100 crypt systems, even on a slowbuffer.
if (CryptoCount > KERB_MAX_CRYPTO_SYSTEMS_SLOWBUFF) { return(KDC_ERR_ETYPE_NOTSUPP); } }
if (CryptoCount >= KERB_MAX_CRYPTO_SYSTEMS) { pCryptoSystems = (PULONG) MIDL_user_allocate(CryptoCount * sizeof(ULONG)); if (NULL == pCryptoSystems) { return ( KRB_ERR_GENERIC ); } } else // fast buff
{ pCryptoSystems = CryptoSystems; }
// populate values
NextEType = CryptList; Index = 0;
while (NextEType != NULL) { pCryptoSystems[Index] = NextEType->value; NextEType = NextEType->next; Index++; }
DsysAssert(Index == CryptoCount);
if (!NT_SUCCESS(CDFindCommonCSystemWithKey( CryptoCount, pCryptoSystems, PasswordCount, PasswordTypes, CommonCryptSystem ))) { DebugLog((DEB_ERROR, "KLIN(%x) Missing common crypt system\n", KLIN(FILENO, __LINE__))); goto cleanup; }
//
// Now find the key to return.
//
for (Index = 0; Index < Passwords->CredentialCount ; Index++ ) { if (Passwords->Credentials[Index].Key.keytype == (int) *CommonCryptSystem) { *Key = &Passwords->Credentials[Index].Key; KerbErr = KDC_ERR_NONE; } }
if (!KERB_SUCCESS(KerbErr)) { DebugLog((DEB_ERROR,"KLIN(%x) Couldn't find password type after finding common csystem!\n", KLIN(FILENO, __LINE__))); }
cleanup:
if ((pCryptoSystems != NULL) && (pCryptoSystems != CryptoSystems)) { MIDL_user_free(pCryptoSystems); }
return (KerbErr);}
//+-------------------------------------------------------------------------
//
// Function: KerbMapKerbError
//
// Synopsis: Maps a kerb error to an NTSTATUS
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUSKerbMapKerbError( IN KERBERR KerbError ){ NTSTATUS Status; switch(KerbError) { case KDC_ERR_NONE: Status = STATUS_SUCCESS; break; case KDC_ERR_CLIENT_REVOKED: Status = STATUS_ACCOUNT_DISABLED; break; case KDC_ERR_KEY_EXPIRED: Status = STATUS_PASSWORD_EXPIRED; break; case KRB_ERR_GENERIC: Status = STATUS_INSUFFICIENT_RESOURCES; break; case KRB_AP_ERR_SKEW: case KRB_AP_ERR_TKT_NYV: // Note this was added because of the following scenario:
// Let's say the dc and the client have the correct time. And the
// server's time is off. We aren't going to get rid of the ticket for the
// server on the client because it hasn't expired yet. But, the server
// thinks it has. If event logging was turned on, then admins could look
// at the server's event log and potentially deduce that the server's
// time is off relative to the dc.
case KRB_AP_ERR_TKT_EXPIRED: Status = STATUS_TIME_DIFFERENCE_AT_DC; break; case KDC_ERR_POLICY: Status = STATUS_ACCOUNT_RESTRICTION; break; case KDC_ERR_C_PRINCIPAL_UNKNOWN: Status = STATUS_NO_SUCH_USER; break; case KDC_ERR_S_PRINCIPAL_UNKNOWN: Status = STATUS_NO_TRUST_SAM_ACCOUNT; break; case KRB_AP_ERR_MODIFIED: case KDC_ERR_PREAUTH_FAILED: Status = STATUS_WRONG_PASSWORD; break; case KRB_ERR_RESPONSE_TOO_BIG: Status = STATUS_INVALID_BUFFER_SIZE; break; case KDC_ERR_PADATA_TYPE_NOSUPP: Status = STATUS_NOT_SUPPORTED; break; case KRB_AP_ERR_NOT_US: Status = SEC_E_WRONG_PRINCIPAL; break;
case KDC_ERR_SVC_UNAVAILABLE: Status = STATUS_NO_LOGON_SERVERS; break; case KDC_ERR_WRONG_REALM: Status = STATUS_NO_LOGON_SERVERS; break; case KDC_ERR_CANT_VERIFY_CERTIFICATE: Status = TRUST_E_SYSTEM_ERROR; break; case KDC_ERR_INVALID_CERTIFICATE: Status = STATUS_INVALID_PARAMETER; break; case KDC_ERR_REVOKED_CERTIFICATE: Status = CRYPT_E_REVOKED; break; case KDC_ERR_REVOCATION_STATUS_UNKNOWN: Status = CRYPT_E_NO_REVOCATION_CHECK; break; case KDC_ERR_REVOCATION_STATUS_UNAVAILABLE: Status = CRYPT_E_REVOCATION_OFFLINE; break; case KDC_ERR_CLIENT_NAME_MISMATCH: case KERB_PKINIT_CLIENT_NAME_MISMATCH: case KDC_ERR_KDC_NAME_MISMATCH: Status = STATUS_PKINIT_NAME_MISMATCH; break; case KDC_ERR_PATH_NOT_ACCEPTED: Status = STATUS_TRUST_FAILURE; break; case KDC_ERR_ETYPE_NOTSUPP: Status = STATUS_KDC_UNKNOWN_ETYPE; break; case KDC_ERR_MUST_USE_USER2USER: case KRB_AP_ERR_USER_TO_USER_REQUIRED: Status = STATUS_USER2USER_REQUIRED; break; case KRB_AP_ERR_NOKEY: Status = STATUS_NO_KERB_KEY; break; default: Status = STATUS_LOGON_FAILURE; } return(Status);}
//+-------------------------------------------------------------------------
//
// Function: KerbMakeDomainRelativeSid
//
// Synopsis: Given a domain Id and a relative ID create the corresponding
// SID allocated with MIDL_user_allocate.
//
// Effects:
//
// Arguments: DomainId - The template SID to use.
//
// RelativeId - The relative Id to append to the DomainId.
//
// Requires:
//
// Returns: Sid - Returns a pointer to a buffer allocated from
// MIDL_user_allocate containing the resultant Sid.
//
// Notes:
//
//
//--------------------------------------------------------------------------
PSIDKerbMakeDomainRelativeSid( IN PSID DomainId, IN ULONG RelativeId ){ UCHAR DomainIdSubAuthorityCount; ULONG Size; PSID Sid;
//
// Allocate a Sid which has one more sub-authority than the domain ID.
//
DomainIdSubAuthorityCount = *(RtlSubAuthorityCountSid( DomainId )); Size = RtlLengthRequiredSid(DomainIdSubAuthorityCount+1);
if ((Sid = MIDL_user_allocate( Size )) == NULL ) { return NULL; }
//
// Initialize the new SID to have the same inital value as the
// domain ID.
//
if ( !NT_SUCCESS( RtlCopySid( Size, Sid, DomainId ) ) ) { MIDL_user_free( Sid ); return NULL; }
//
// Adjust the sub-authority count and
// add the relative Id unique to the newly allocated SID
//
(*(RtlSubAuthorityCountSid( Sid ))) ++; *RtlSubAuthoritySid( Sid, DomainIdSubAuthorityCount ) = RelativeId;
return Sid;}
//+-------------------------------------------------------------------------
//
// Function: KerbFreeCertificateList
//
// Synopsis: Frees a list of certificates created by KerbCreateCertificateList
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOIDKerbFreeCertificateList( IN PKERB_CERTIFICATE_LIST Certificates ){ PKERB_CERTIFICATE_LIST Last,Next;
Last = NULL; Next = Certificates; while (Next != NULL) { Last = Next; Next = Next->next; if (Last->value.cert_data.value != NULL) { MIDL_user_free(Last->value.cert_data.value); } MIDL_user_free(Last); }}
//+-------------------------------------------------------------------------
//
// Function: KerbCreateCertificateList
//
// Synopsis: Creates a list of certificates from a cert context
//
// Effects:
//
// Arguments: Certficates - receives list of certificates.
// CertContext - Context containing certificates
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbCreateCertificateList( OUT PKERB_CERTIFICATE_LIST * Certificates, IN PCCERT_CONTEXT CertContext ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_CERTIFICATE_LIST ListEntry = NULL;
if (!ARGUMENT_PRESENT(CertContext)) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } //
// Croft up a bogus certificate entry
//
ListEntry = (PKERB_CERTIFICATE_LIST) MIDL_user_allocate(sizeof(KERB_CERTIFICATE_LIST)); if (ListEntry == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } ListEntry->next = NULL; ListEntry->value.cert_type = KERB_CERTIFICATE_TYPE_X509; ListEntry->value.cert_data.length = CertContext->cbCertEncoded; ListEntry->value.cert_data.value = (PUCHAR) MIDL_user_allocate(ListEntry->value.cert_data.length); if (ListEntry->value.cert_data.value == NULL) { KerbErr = KRB_ERR_GENERIC; goto Cleanup; } RtlCopyMemory( ListEntry->value.cert_data.value, CertContext->pbCertEncoded, CertContext->cbCertEncoded ); *Certificates = ListEntry; ListEntry = NULL;
Cleanup: KerbFreeCertificateList(ListEntry); return(KerbErr);
}
//+-------------------------------------------------------------------------
//
// Function: KerbConvertFlagsToUlong
//
// Synopsis: Converts a bit-stream flags field into a ULONG
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
ULONGKerbConvertFlagsToUlong( IN PVOID Flags ){ ULONG Output = 0; PUCHAR OutputPointer = &((PUCHAR) &Output)[3]; ULONG Index = 0; PKERB_TICKET_FLAGS InternalFlags = (PKERB_TICKET_FLAGS) Flags; ULONG InternalLength;
if (InternalFlags->length > 32) { InternalLength = 32; } else { InternalLength = (ULONG) InternalFlags->length; }
while (InternalLength > 7) { *OutputPointer = InternalFlags->value[Index++]; OutputPointer--; InternalLength -= 8; }
//
// Copy the remaining bits, masking off what should be zero
//
if (InternalLength != 0) { *OutputPointer = InternalFlags->value[Index] & ~((1 << (8-InternalLength)) - 1); }
return(Output);
}
//+-------------------------------------------------------------------------
//
// Function: KerbConvertUlongToFlagUlong
//
// Synopsis: Converts the byte order of a ULONG into that used by flags
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
ULONGKerbConvertUlongToFlagUlong( IN ULONG Flag ){ ULONG ReturnFlag;
((PUCHAR) &ReturnFlag)[0] = ((PUCHAR) &Flag)[3]; ((PUCHAR) &ReturnFlag)[1] = ((PUCHAR) &Flag)[2]; ((PUCHAR) &ReturnFlag)[2] = ((PUCHAR) &Flag)[1]; ((PUCHAR) &ReturnFlag)[3] = ((PUCHAR) &Flag)[0];
return(ReturnFlag);}
//+-------------------------------------------------------------------------
//
// Function: KerbCompareObjectIds
//
// Synopsis: Compares two object IDs for equality
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
BOOLEANKerbCompareObjectIds( IN PKERB_OBJECT_ID Object1, IN PKERB_OBJECT_ID Object2 ){ while (Object1 != NULL) {
if (Object2 == NULL) { return(FALSE); }
if (Object1->value != Object2->value) { return(FALSE); } Object1 = Object1->next; Object2 = Object2->next; }
if (Object2 != NULL) { return(FALSE); } else { return(TRUE); }}
//+-------------------------------------------------------------------------
//
// Function: KdcGetClientNetbiosAddress
//
// Synopsis: Gets the client's netbios address from the list of
// addresses it sends.
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbGetClientNetbiosAddress( OUT PUNICODE_STRING ClientNetbiosAddress, IN PKERB_HOST_ADDRESSES Addresses ){ PKERB_HOST_ADDRESSES TempAddress = Addresses; STRING TempString; KERBERR KerbErr;
RtlInitUnicodeString( ClientNetbiosAddress, NULL );
while (TempAddress != NULL) { //
// Check for netbios
//
if (TempAddress->value.address_type == KERB_ADDRTYPE_NETBIOS) { //
// Copy out the string
//
TempString.Buffer = (PCHAR) TempAddress->value.address.value; TempString.Length = TempString.MaximumLength = (USHORT) TempAddress->value.address.length;
KerbErr = KerbStringToUnicodeString( ClientNetbiosAddress, &TempString ); if (KERB_SUCCESS(KerbErr)) { //
// Strip trailing spaces
//
if (ClientNetbiosAddress->Length >= sizeof(WCHAR)) { while ((ClientNetbiosAddress->Length > 0) && (ClientNetbiosAddress->Buffer[(ClientNetbiosAddress->Length / sizeof(WCHAR))-1] == L' ')) { ClientNetbiosAddress->Length -= sizeof(WCHAR); } return(KDC_ERR_NONE); } } else { return(KerbErr); }
}
TempAddress = TempAddress->next; }
//
// It is o.k. to not have a netbios name
//
return(KDC_ERR_NONE);}//+-------------------------------------------------------------------------
//
// Function: KerbGetPacFromAuthData
//
// Synopsis: Gets the PAC from the auth data list
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
KERBERRKerbGetPacFromAuthData( IN PKERB_AUTHORIZATION_DATA AuthData, OUT PKERB_IF_RELEVANT_AUTH_DATA ** ReturnIfRelevantData, OUT PKERB_AUTHORIZATION_DATA * Pac ){ KERBERR KerbErr = KDC_ERR_NONE; PKERB_AUTHORIZATION_DATA PacAuthData = NULL; PKERB_AUTHORIZATION_DATA RelevantAuthData = NULL; PKERB_IF_RELEVANT_AUTH_DATA * IfRelevantData = NULL;
*ReturnIfRelevantData = NULL; *Pac = NULL;
//
// Look for the if-relevant data
//
RelevantAuthData = KerbFindAuthDataEntry( KERB_AUTH_DATA_IF_RELEVANT, AuthData ); if (RelevantAuthData != NULL) { //
// Unpack it
//
KerbErr = KerbUnpackData( RelevantAuthData->value.auth_data.value, RelevantAuthData->value.auth_data.length, PKERB_IF_RELEVANT_AUTH_DATA_PDU, (PVOID *) &IfRelevantData ); if (KERB_SUCCESS(KerbErr)) { //
// Look for the PAC in the if-relevant data
//
PacAuthData = KerbFindAuthDataEntry( KERB_AUTH_DATA_PAC, *IfRelevantData ); } else { //
// We don't mind if we couldn't unpack it.
// Tickets do not always have PAC information.
//
KerbErr = KDC_ERR_NONE; }
}
//
// If we didn't find it in the if-relevant data, look outside
//
if (PacAuthData == NULL) { PacAuthData = KerbFindAuthDataEntry( KERB_AUTH_DATA_PAC, AuthData );
}
//
// Copy the PAC to return it
//
if (PacAuthData != NULL) { *Pac = PacAuthData; }
*ReturnIfRelevantData = IfRelevantData; IfRelevantData = NULL;
return(KerbErr);}
#if DBG
#define KERB_DEBUG_WARN_LEVEL 0x0002
//+-------------------------------------------------------------------------
//
// Function: DebugDisplayTime
//
// Synopsis: Displays a FILETIME
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
voidDebugDisplayTime( IN ULONG DebugLevel, IN FILETIME *pFileTime ){ CHAR pszTime[256]; SYSTEMTIME SystemTime;
if (DebugLevel & KERB_DEBUG_WARN_LEVEL) { FileTimeToSystemTime(pFileTime, &SystemTime);
DebugLog((DEB_ERROR," %02d:%02d:%02d - %02d %02d %04d\n", SystemTime.wHour,SystemTime.wMinute,SystemTime.wSecond, SystemTime.wDay,SystemTime.wMonth,SystemTime.wYear)); } return;}#endif
|
