Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

2636 lines
62 KiB

//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 1991 - 1992
//
// File: sphelp.c
//
// Contents: Security Package Helper functions (see isecpkg.doc)
//
// Functions LsapUnloadPackage
// LsapAllocate
// LsapFree
// LsapClientAllocate
// LsapCopyToClient
// LsapCopyFromClient
// LsapClientFree
// LsapOpenClientProcess
// LsapOpenClientThread
// LsapDuplicateHandle
// LsapSaveSupplementalCredentials
// LsapGetWindow
// LsapCreateThread
// LsapMapClientBuffer
//
//
// Notes: By defining TRACK_MEM, we will track all use of memory
// allocated through the LsapAllocate. DBG_MEM will track
// memory leaks.
//
// History: 20 May 92 RichardW Created
//
//------------------------------------------------------------------------
#include <lsapch.hxx>
extern "C"
{
#include "sesmgr.h"
#include "spdebug.h"
#include "klpcstub.h"
}
typedef struct _LSAP_THREAD_START {
LPTHREAD_START_ROUTINE lpStart;
LPVOID lpParm;
ULONG_PTR dwPackageID;
} LSAP_THREAD_START, *PLSAP_THREAD_START;
extern LSA_CALL_INFO LsapDefaultCallInfo ;
ULONG_PTR LsapUserModeLimit ;
//
// private heaps defines.
//
// HEAP_HEADER should always be size even multiple of heap allocation granularity
//
typedef struct {
HANDLE hHeap;
SIZE_T Magic;
} HEAP_HEADER_LSA, *PHEAP_HEADER_LSA;
#define HEAP_COUNT_MAX 32
#define HEAP_MAGIC_TAG 0x66677766
HANDLE gHeaps[ HEAP_COUNT_MAX ];
DWORD gcHeaps;
#if DBG
//
// Failure simulation parameters
//
ULONG TotalAllocations;
ULONG_PTR PackageToFail = SPMGR_ID;
SpmDbg_MemoryFailure MemFail;
#endif // DBG
void
CacheMachineInReg(GUID *);
#define MEM_MAGIC 0x0feedbed
#define MEM_FREED 0x0b00b00b
#define MEM_MASK 0x0FFFFFFF
#define MEM_NEVER 0x10000000
LSA_SECPKG_FUNCTION_TABLE LsapSecpkgFunctionTable = {
LsapCreateLogonSession,
LsapDeleteLogonSession,
LsapAddCredential,
LsapGetCredentials,
LsapDeleteCredential,
LsapAllocateLsaHeap,
LsapFreeLsaHeap,
LsapAllocateClientBuffer,
LsapFreeClientBuffer,
LsapCopyToClientBuffer,
LsapCopyFromClientBuffer,
LsapImpersonateClient,
LsapUnloadPackage,
LsapDuplicateHandle,
NULL, // LsapSaveSupplementalCredentials,
LsapCreateThread,
LsapGetClientInfo,
LsaIRegisterNotification,
LsaICancelNotification,
LsapMapClientBuffer,
LsapCreateToken,
LsapAuditLogon,
LsaICallPackage,
LsaIFreeReturnBuffer,
LsapGetCallInfo,
LsaICallPackageEx,
LsaCreateSharedMemory,
LsaAllocateSharedMemory,
LsaFreeSharedMemory,
LsaDeleteSharedMemory,
LsaOpenSamUser,
LsaGetUserCredentials,
LsaGetUserAuthData,
LsaCloseSamUser,
LsaConvertAuthDataToToken,
LsaClientCallback,
LsapUpdateCredentials,
LsaGetAuthDataForUser,
LsaCrackSingleName,
LsaIAuditAccountLogon,
LsaICallPackagePassthrough,
CrediRead,
CrediReadDomainCredentials,
CrediFreeCredentials,
LsaProtectMemory,
LsaUnprotectMemory,
LsapOpenTokenByLogonId,
LsaExpandAuthDataForDomain,
LsapAllocatePrivateHeap,
LsapFreePrivateHeap,
LsapCreateTokenEx
};
//+-------------------------------------------------------------------------
//
// Function: LsapOpenCaller
//
// Synopsis: Opens the calling process
//
// Effects:
//
// Arguments: phProcess -- receives handle to process
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS
LsapOpenCaller(
IN OUT PSession pSession
)
{
HANDLE hProcess;
NTSTATUS Status;
OBJECT_ATTRIBUTES ObjectAttributes;
CLIENT_ID ClientId;
PVOID Ignored ;
ClientId.UniqueThread = NULL;
ClientId.UniqueProcess = (HANDLE) LongToHandle(pSession->dwProcessID);
InitializeObjectAttributes(
&ObjectAttributes,
NULL,
0,
NULL,
NULL
);
Status = NtOpenProcess(
&hProcess,
PROCESS_DUP_HANDLE | // Duplicate Handles
PROCESS_QUERY_INFORMATION | // Get token
PROCESS_VM_OPERATION | // Allocate
PROCESS_VM_READ | // Read memory
PROCESS_VM_WRITE, // Write memory
&ObjectAttributes,
&ClientId
);
if (!NT_SUCCESS(Status))
{
DebugLog((DEB_ERROR, "Did not open process %08x, error %08x\n",
pSession->dwProcessID, Status));
return( Status );
}
pSession->hProcess = hProcess;
Status = NtQueryInformationProcess(
hProcess,
ProcessSessionInformation,
&pSession->SessionId,
sizeof( ULONG ),
NULL );
#if _WIN64
Status = NtQueryInformationProcess(
hProcess,
ProcessWow64Information,
&Ignored,
sizeof( Ignored ),
NULL );
if ( NT_SUCCESS( Status ) )
{
if ( Ignored != 0 )
{
pSession->fSession |= SESFLAG_WOW_PROCESS ;
}
}
#endif
return( STATUS_SUCCESS );
}
//+-------------------------------------------------------------------------
//
// Function: CheckCaller
//
// Synopsis: Checks if calling process has been opened, opens if it
// hasn't.
//
// Effects:
//
// Arguments: pSession - Current session
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS
CheckCaller(
IN PSession pSession
)
{
NTSTATUS Status;
if (!pSession->hProcess)
{
Status = LsapOpenCaller(pSession);
if (FAILED(Status))
{
DebugLog((DEB_ERROR, "Could not open client (%x)\n", Status));
return(Status);
}
}
return(STATUS_SUCCESS);
}
//+-------------------------------------------------------------------------
//
// Function: LsapUnloadPackage
//
// Synopsis: Unloads the calling package in case of catastrophic problems
//
// Effects: Unloads the DLL that generated this call.
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes: Calling thread is terminated through a special exception.
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
LsapUnloadPackage(
VOID
)
{
ULONG_PTR PackageId;
PSession pSession = GetCurrentSession();
PackageId = GetCurrentPackageId();
//
// If this is an autonomous thread, we should interrupt any other threads
// that are currently executing in the DLL. At this time, I do not know
// what will happen if the virtual address space of a thread suddenly
// becomes invalid, or even if that will happen. We'll find out...
//
if (pSession->fSession & SESFLAG_AUTONOMOUS)
{
DebugLog((DEB_WARN, "Autonomous thread executed LsapUnloadPackage\n"));
}
pSession->fSession |= SESFLAG_UNLOADING;
RaiseException((ULONG) SEC_E_BAD_PKGID, 0, 0, NULL);
return(STATUS_SUCCESS);
}
BOOLEAN
LsapHeapInitialize(
IN BOOLEAN Server
)
{
if( !Server )
{
NT_PRODUCT_TYPE ProductType;
if ( RtlGetNtProductType( &ProductType ) &&
(ProductType == NtProductServer || ProductType == NtProductLanManNt)
)
{
Server = TRUE;
}
}
if ( Server )
{
SYSTEM_INFO si;
DWORD Heaps;
DWORD i, cHeapsCreated;
RTL_HEAP_PARAMETERS HeapParameters;
GetSystemInfo( &si );
if( si.dwNumberOfProcessors == 0 ) {
Heaps = 1;
} else if( si.dwNumberOfProcessors > HEAP_COUNT_MAX )
{
Heaps = HEAP_COUNT_MAX;
} else {
Heaps = si.dwNumberOfProcessors;
}
ZeroMemory( &HeapParameters, sizeof(HeapParameters) );
HeapParameters.Length = sizeof(HeapParameters);
HeapParameters.DeCommitTotalFreeThreshold = 8 * LsapPageSize ;
cHeapsCreated = 0;
for( i = 0 ; i < Heaps ; i++ )
{
gHeaps[ cHeapsCreated ] = RtlCreateHeap(
HEAP_GROWABLE,
NULL,
0,
0,
NULL,
&HeapParameters
);
if( gHeaps[ cHeapsCreated ] != NULL )
{
cHeapsCreated++;
}
}
gcHeaps = cHeapsCreated;
}
if( gHeaps[ 0 ] == NULL )
{
gHeaps[ 0 ] = RtlProcessHeap();
gcHeaps = 1;
}
return TRUE;
}
//+-------------------------------------------------------------------------
//
// Function: LsapAllocateLsaHeap
//
// Synopsis: Allocates memory on process heap
//
// Effects:
//
// Arguments: cbMemory -- Size of block needed
//
// Requires:
//
// Returns: ptr to memory
//
// Notes: if DBGMEM or TRACK_MEM defined, extra work is done for
// tracking purposes.
//
// Can raise the exception STATUS_NO_MEMORY
//
// Per object reuse rules of C2 and above, we zero any memory
// allocated through this function
//
//--------------------------------------------------------------------------
PVOID NTAPI
LsapAllocateLsaHeap(
IN ULONG cbMemory
)
{
#if DBG
if (MemFail.fSimulateFailure)
{
TotalAllocations++;
if ((TotalAllocations > MemFail.FailureDelay) &&
(TotalAllocations < MemFail.FailureLength + MemFail.FailureDelay))
{
if ((TotalAllocations % MemFail.FailureInterval) == 0)
{
if ((PackageToFail == SPMGR_ID) ||
(GetCurrentPackageId() == PackageToFail))
{
DebugLog((DEB_TRACE,"LsapAllocateLsaHeap: Simulating failure\n"));
return(NULL);
}
}
}
}
#endif // DBG
return(RtlAllocateHeap(
RtlProcessHeap(),
HEAP_ZERO_MEMORY,
cbMemory
));
}
//+-------------------------------------------------------------------------
//
// Function: LsapFreeLsaHeap
//
// Synopsis: Frees memory allocated by LsapAllocateLsaHeap
//
// Effects:
//
// Arguments: pvMemory
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
void NTAPI
LsapFreeLsaHeap(
IN PVOID pvMemory
)
{
RtlFreeHeap(
RtlProcessHeap(),
0,
pvMemory
);
}
//+-------------------------------------------------------------------------
//
// Function: LsapAllocatePrivateHeap
//
// Synopsis: Allocates memory on private heap(s)
//
// Effects:
//
// Arguments: cbMemory -- Size of block needed
//
// Requires:
//
// Returns: ptr to memory
//
// Per object reuse rules of C2 and above, we zero any memory
// allocated through this function
//
//--------------------------------------------------------------------------
PVOID
NTAPI
LsapAllocatePrivateHeap(
IN SIZE_T cbMemory
)
{
HANDLE hHeap;
PHEAP_HEADER_LSA memory;
hHeap = LsapGetCurrentHeap();
if( hHeap == NULL )
{
static ULONG heapindex;
ULONG LocalHeapIndex;
LocalHeapIndex = (ULONG)InterlockedIncrement( (PLONG)&heapindex );
LocalHeapIndex %= gcHeaps;
hHeap = gHeaps[ LocalHeapIndex ];
LsapSetCurrentHeap( hHeap );
}
memory = (PHEAP_HEADER_LSA)RtlAllocateHeap(
hHeap,
HEAP_ZERO_MEMORY,
cbMemory+sizeof(HEAP_HEADER_LSA)
);
if( memory != NULL )
{
memory->hHeap = hHeap;
memory->Magic = (unsigned char*)HEAP_MAGIC_TAG-(unsigned char*)hHeap;
return ( (unsigned char*)memory+sizeof(HEAP_HEADER_LSA) );
}
DebugLog((DEB_ERROR,"LsapAllocatePrivateHeap: %p failed allocate %lu bytes\n", hHeap, cbMemory));
return NULL;
}
PVOID
NTAPI
LsapAllocatePrivateHeapNoZero(
IN SIZE_T cbMemory
)
{
HANDLE hHeap;
PHEAP_HEADER_LSA memory;
hHeap = LsapGetCurrentHeap();
if( hHeap == NULL )
{
static ULONG heapindex;
ULONG LocalHeapIndex;
LocalHeapIndex = (ULONG)InterlockedIncrement( (PLONG)&heapindex );
LocalHeapIndex %= gcHeaps;
hHeap = gHeaps[ LocalHeapIndex ];
LsapSetCurrentHeap( hHeap );
}
memory = (PHEAP_HEADER_LSA)RtlAllocateHeap(
hHeap,
0,
cbMemory+sizeof(HEAP_HEADER_LSA)
);
if( memory != NULL )
{
memory->hHeap = hHeap;
memory->Magic = (unsigned char*)HEAP_MAGIC_TAG-(unsigned char*)hHeap;
return ( (unsigned char*)memory+sizeof(HEAP_HEADER_LSA) );
}
DebugLog((DEB_ERROR,"LsapAllocatePrivateHeapNoZero: %p failed allocate %lu bytes\n", hHeap, cbMemory));
return NULL;
}
//+-------------------------------------------------------------------------
//
// Function: LsapFreePrivateHeap
//
// Synopsis: Frees memory allocated by LsapAllocatePrivateHeap
//
// Effects:
//
// Arguments: pvMemory
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
void
NTAPI
LsapFreePrivateHeap(
IN PVOID pvMemory
)
{
PHEAP_HEADER_LSA HeapEntry;
if( pvMemory == NULL )
{
return ;
}
HeapEntry = (PHEAP_HEADER_LSA)((unsigned char*)pvMemory-sizeof(HEAP_HEADER_LSA));
if( HeapEntry->Magic + ((unsigned char*)HeapEntry->hHeap) != (unsigned char*)HEAP_MAGIC_TAG )
{
DebugLog((DEB_ERROR, "LsapFreePrivateHeap tried to free %p from wrong heap\n",
pvMemory));
DsysAssert( pvMemory == NULL );
return;
}
RtlFreeHeap(
HeapEntry->hHeap,
0,
HeapEntry
);
}
//+-------------------------------------------------------------------------
//
// Function: LsapClientAllocate
//
// Synopsis: Allocates memory in client process
//
// Effects:
//
// Arguments: cbMemory -- Size of block to allocate
//
// Requires:
//
// Returns: pointer to memory in client address space
//
// Notes: pointer is not valid in this process, only in client
//
//--------------------------------------------------------------------------
PVOID NTAPI
LsapClientAllocate(
IN ULONG cbMemory
)
{
NTSTATUS Status;
PSession pSession;
void * pClientMemory = NULL;
SIZE_T cbMem = cbMemory;
PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall();
pSession = GetCurrentSession() ;
if ( pSession == NULL )
{
pSession = pDefaultSession ;
}
if ( CallInfo == NULL )
{
CallInfo = &LsapDefaultCallInfo ;
}
if (FAILED(CheckCaller(pSession)))
{
return(NULL);
}
//
// If the INPROC flag is set, allocate out of the heap. The copy functions
// will also honor this.
//
if ( pSession->fSession & SESFLAG_INPROC )
{
pClientMemory = LsapAllocateLsaHeap( (ULONG) cbMem );
return( pClientMemory );
}
if ( CallInfo->Flags & CALL_FLAG_KERNEL_POOL )
{
if ( ( CallInfo->Flags & CALL_FLAG_KMAP_USED ) != 0 )
{
pClientMemory = LsapAllocateFromKsecBuffer(
CallInfo->KMap,
(ULONG) cbMem );
DebugLog((DEB_TRACE_HELPERS, "[%x] LsapClientAllocate(%d) = %p in KMap %p\n",
pSession->dwProcessID, cbMem,
pClientMemory, CallInfo->KMap ));
return pClientMemory ;
}
}
Status = NtAllocateVirtualMemory(pSession->hProcess,
&pClientMemory,
0,
&cbMem,
MEM_COMMIT,
PAGE_READWRITE);
if (!NT_SUCCESS(Status))
{
DebugLog((DEB_ERROR, "[%x] Could not allocate client memory (%x)\n",
pSession->dwProcessID, Status));
pClientMemory = NULL;
}
DebugLog((DEB_TRACE_HELPERS, "[%x] LsapClientAllocate(%d) = %p\n",
pSession->dwProcessID, cbMemory, pClientMemory));
if ( pClientMemory )
{
// Save pointer so that FreeContextBuffer will use
// correct 'free' function.
if(CallInfo->Allocs < MAX_BUFFERS_IN_CALL)
{
CallInfo->Buffers[ CallInfo->Allocs++ ] = pClientMemory ;
}
}
return(pClientMemory);
}
//+-------------------------------------------------------------------------
//
// Function: LsapCopyToClient
//
// Synopsis: Copies data into client process
//
// Effects:
//
// Arguments: pLocalMemory -- pointer to data in this process
// pClientMemory -- pointer to destination in client process
// cbMemory -- how much to copy
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
LsapCopyToClient(
IN PVOID pLocalMemory,
OUT PVOID pClientMemory,
IN ULONG cbMemory
)
{
NTSTATUS Status;
PSession pSession;
PLSA_CALL_INFO CallInfo;
PKSEC_LSA_MEMORY_HEADER Header ;
ULONG i ;
ULONG_PTR Basis ;
ULONG_PTR Limit ;
BOOL Tried = FALSE ;
if (cbMemory == 0)
{
return(STATUS_SUCCESS);
}
pSession = GetCurrentSession();
if ( !pSession )
{
pSession = pDefaultSession ;
}
CallInfo = LsapGetCurrentCall();
if ( ( pLocalMemory == NULL ) ||
( pClientMemory == NULL ) )
{
return STATUS_ACCESS_VIOLATION ;
}
if (FAILED(Status = CheckCaller(pSession)))
{
return(Status);
}
//
// Cases for a direct copy:
//
// - The current session is the default session
// - This is an inproc call
// - We're using a KMap buffer
//
if (CallInfo &&
CallInfo->Flags & CALL_FLAG_KERNEL_POOL )
{
Header = CallInfo->KMap ;
if ( (ULONG_PTR) pClientMemory > LsapUserModeLimit )
{
//
// Someone is trying to deal with a pool address directly.
// we can handle this if it was copied into the KMap already
//
for ( i = 0 ; i < Header->MapCount ; i++ )
{
Limit = (ULONG_PTR) Header->PoolMap[ i ].Pool + Header->PoolMap[ i ].Size ;
if ( ((ULONG_PTR) pClientMemory >= (ULONG_PTR) Header->PoolMap[ i ].Pool ) &&
( (ULONG_PTR) pClientMemory < Limit ) )
{
//
// Found an overlap, this is promising. Check the bounds:
//
Basis = (ULONG_PTR) pClientMemory -
(ULONG_PTR) Header->PoolMap[ i ].Pool ;
if ( Basis + cbMemory <= Header->PoolMap[ i ].Size )
{
//
// Found it!
//
__try
{
RtlCopyMemory(
(PUCHAR) Header +
(Header->PoolMap[ i ].Offset +
Basis),
pLocalMemory,
cbMemory );
Status = STATUS_SUCCESS ;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Status = GetExceptionCode();
}
}
Tried = TRUE ;
break;
}
}
if ( !Tried )
{
Status = STATUS_ACCESS_VIOLATION ;
}
}
else if ( LsapIsBlockInKMap( CallInfo->KMap, pClientMemory ) )
{
__try
{
RtlCopyMemory( pClientMemory, pLocalMemory, cbMemory );
Status = STATUS_SUCCESS ;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Status = GetExceptionCode();
}
}
else
{
Status = NtWriteVirtualMemory(pSession->hProcess,
pClientMemory,
pLocalMemory,
cbMemory,
NULL);
}
} else if ( (pSession->dwProcessID == pDefaultSession->dwProcessID) ||
(pSession->fSession & SESFLAG_INPROC) ||
(CallInfo->Flags & CALL_FLAG_KMAP_USED ) )
{
__try
{
RtlCopyMemory( pClientMemory, pLocalMemory, cbMemory );
Status = STATUS_SUCCESS ;
}
__except ( EXCEPTION_EXECUTE_HANDLER )
{
Status = GetExceptionCode();
}
}
else
{
Status = NtWriteVirtualMemory( pSession->hProcess,
pClientMemory,
pLocalMemory,
cbMemory,
NULL);
}
DebugLog((DEB_TRACE_HELPERS, "[%x] LsapCopyToClient(%p, %p, %d) = %x\n",
pSession->dwProcessID, pLocalMemory, pClientMemory, cbMemory,
Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: LsapCopyFromClient
//
// Synopsis: Copies memory from client to this process
//
// Effects:
//
// Arguments: pClientMemory -- Pointer to data in client space
// pLocalMemory -- Pointer to destination in this process
// cbMemory -- How much
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
LsapCopyFromClient(
IN PVOID pClientMemory,
OUT PVOID pLocalMemory,
IN ULONG cbMemory
)
{
NTSTATUS Status;
PSession pSession;
PLSA_CALL_INFO CallInfo ;
PKSEC_LSA_MEMORY_HEADER Header ;
ULONG i ;
ULONG_PTR Basis ;
ULONG_PTR Limit ;
BOOL Tried = FALSE ;
if (cbMemory == 0)
{
return(STATUS_SUCCESS);
}
if ( ( pClientMemory == NULL ) ||
( pLocalMemory == NULL ) )
{
return STATUS_ACCESS_VIOLATION ;
}
pSession = GetCurrentSession();
if ( pSession == NULL )
{
pSession = pDefaultSession ;
}
CallInfo = LsapGetCurrentCall();
if (FAILED(Status = CheckCaller(pSession)))
{
return(Status);
}
if (CallInfo &&
CallInfo->Flags & CALL_FLAG_KERNEL_POOL )
{
Header = CallInfo->KMap ;
if ( (ULONG_PTR) pClientMemory > LsapUserModeLimit )
{
//
// Someone is trying to deal with a pool address directly.
// we can handle this if it was copied into the KMap already
//
for ( i = 0 ; i < Header->MapCount ; i++ )
{
Limit = (ULONG_PTR) Header->PoolMap[ i ].Pool + Header->PoolMap[ i ].Size ;
if ( ((ULONG_PTR) pClientMemory >= (ULONG_PTR) Header->PoolMap[ i ].Pool ) &&
( (ULONG_PTR) pClientMemory < Limit ) )
{
//
// Found an overlap, this is promising. Check the bounds:
//
Basis = (ULONG_PTR) pClientMemory -
(ULONG_PTR) Header->PoolMap[ i ].Pool ;
if ( Basis + cbMemory <= Header->PoolMap[ i ].Size )
{
//
// Found it!
//
__try
{
RtlCopyMemory(
pLocalMemory,
(PUCHAR) Header +
(Header->PoolMap[ i ].Offset +
Basis),
cbMemory );
Status = STATUS_SUCCESS ;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Status = GetExceptionCode();
}
}
Tried = TRUE ;
break;
}
}
if ( !Tried )
{
Status = STATUS_ACCESS_VIOLATION ;
}
}
else if ( LsapIsBlockInKMap( CallInfo->KMap, pClientMemory ) )
{
__try
{
RtlCopyMemory( pLocalMemory, pClientMemory, cbMemory );
Status = STATUS_SUCCESS ;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Status = GetExceptionCode();
}
}
else
{
Status = NtReadVirtualMemory(pSession->hProcess,
pClientMemory,
pLocalMemory,
cbMemory,
NULL);
}
}
else if ( (pSession->dwProcessID == pDefaultSession->dwProcessID) ||
(pSession->fSession & SESFLAG_INPROC ) )
{
__try
{
RtlCopyMemory( pLocalMemory, pClientMemory, cbMemory );
Status = STATUS_SUCCESS ;
}
__except (EXCEPTION_EXECUTE_HANDLER)
{
Status = GetExceptionCode();
}
}
else
{
Status = NtReadVirtualMemory(pSession->hProcess,
pClientMemory,
pLocalMemory,
cbMemory,
NULL);
}
DebugLog((DEB_TRACE_HELPERS, "[%x] LsapCopyFromClient(%p, %p, %d) = %x\n",
pSession->dwProcessID, pClientMemory, pLocalMemory, cbMemory,
Status));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: LsapClientFree
//
// Synopsis: Frees memory allocated in client space
//
// Effects:
//
// Arguments: pClientMemory -- pointer to memory to free
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
LsapClientFree(
IN PVOID pClientMemory
)
{
NTSTATUS Status;
SIZE_T cbMem = 0;
PSession pSession;
PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall();
if ( CallInfo == NULL )
{
CallInfo = &LsapDefaultCallInfo ;
}
if (!pClientMemory)
{
return(STATUS_SUCCESS);
}
pSession = GetCurrentSession();
if ( pSession == NULL )
{
pSession = pDefaultSession ;
}
if (FAILED(Status = CheckCaller(pSession)))
{
return(Status);
}
if ( pSession->fSession & SESFLAG_INPROC )
{
LsapFreeLsaHeap( pClientMemory );
return( STATUS_SUCCESS );
}
#if DBG
if ( pSession->dwProcessID == pDefaultSession->dwProcessID )
{
DebugLog(( DEB_ERROR, "Freeing VM in LSA: %x\n", pClientMemory ));
}
#endif
Status = NtFreeVirtualMemory(pSession->hProcess,
&pClientMemory,
&cbMem,
MEM_RELEASE);
if ( pClientMemory )
{
ULONG i;
// Remove this pointer from our list.
for(i = 0; i < CallInfo->Allocs; i++)
{
if(CallInfo->Buffers[i] == pClientMemory)
{
if(i < CallInfo->Allocs - 1)
{
memcpy(&CallInfo->Buffers[i],
&CallInfo->Buffers[i+1],
sizeof(PVOID) * (CallInfo->Allocs - i - 1));
}
CallInfo->Allocs--;
break;
}
}
}
DebugLog((DEB_TRACE_HELPERS, "[%x] LsapClientFree(%x) == %x\n",
pSession->dwProcessID, pClientMemory, Status));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: LsapDuplicateHandle
//
// Synopsis: Duplicates a handle to an NT object into the calling process
//
// Effects: A new handle is generated, referencing the object
//
// Arguments: hObject -- handle to the object
// hNewObject -- New handle valid in calling process
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
LsapDuplicateHandle(
IN HANDLE hObject,
OUT PHANDLE phNewObject
)
{
NTSTATUS Status;
PSession pSession;
pSession = GetCurrentSession();
if ( pSession == NULL )
{
pSession = pDefaultSession ;
}
if (Status = CheckCaller(pSession))
{
DebugLog((DEB_ERROR, "CheckCaller returned %d\n", Status));
return(Status);
}
Status = NtDuplicateObject( NtCurrentProcess(),
hObject,
pSession->hProcess,
phNewObject,
0,
0,
DUPLICATE_SAME_ACCESS);
DebugLog((DEB_TRACE_HELPERS, "[%x] LsapDupHandle(%x, %x (@%x)) = %x\n",
pSession->dwProcessID, hObject, *phNewObject, phNewObject, Status));
return(Status);
}
//+---------------------------------------------------------------------------
//
// Function: LsapImpersonateClient
//
// Synopsis: Impersonate the client of the API call.
//
// Arguments: (none)
//
// History: 6-05-95 RichardW Created
//
// Notes: Threads should call RevertToSelf() when done.
//
//----------------------------------------------------------------------------
NTSTATUS NTAPI
LsapImpersonateClient(
VOID
)
{
PSession pSession;
PLSA_CALL_INFO CallInfo ;
PSPM_LPC_MESSAGE pApiMessage;
NTSTATUS Status;
CallInfo = LsapGetCurrentCall() ;
if ( CallInfo->InProcCall )
{
if ( CallInfo->InProcToken )
{
Status = NtSetInformationThread(
NtCurrentThread(),
ThreadImpersonationToken,
(PVOID) &CallInfo->InProcToken,
sizeof(HANDLE)
);
}
else
{
Status = RtlImpersonateSelf(SecurityImpersonation);
}
}
else
{
pSession = GetCurrentSession() ;
if ( !pSession )
{
pSession = pDefaultSession ;
}
Status = NtImpersonateClientOfPort(
pSession->hPort,
(PPORT_MESSAGE) CallInfo->Message);
}
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: LsapDuplicateString
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS
LsapDuplicateString(
OUT PUNICODE_STRING pDest,
IN PUNICODE_STRING pSrc
)
{
pDest->Length = 0;
if (pSrc == NULL)
{
pDest->Buffer = NULL;
pDest->MaximumLength = 0;
return(STATUS_SUCCESS);
}
pDest->Buffer = (LPWSTR) LsapAllocateLsaHeap(pSrc->Length + sizeof(WCHAR));
if (pDest->Buffer)
{
pDest->MaximumLength = pSrc->Length + sizeof(WCHAR);
RtlCopyMemory(
pDest->Buffer,
pSrc->Buffer,
pSrc->Length
);
pDest->Buffer[pSrc->Length/sizeof(WCHAR)] = L'\0';
pDest->Length = pSrc->Length;
return(STATUS_SUCCESS);
} else
{
pDest->MaximumLength = 0;
return(STATUS_INSUFFICIENT_RESOURCES);
}
}
NTSTATUS
LsapDuplicateString2(
OUT PUNICODE_STRING pDest,
IN PUNICODE_STRING pSrc
)
/*++
Same as LsapDuplicateString(), but uses LsapPrivateHeap routines.
--*/
{
pDest->Length = 0;
if (pSrc == NULL)
{
pDest->Buffer = NULL;
pDest->MaximumLength = 0;
return(STATUS_SUCCESS);
}
pDest->Buffer = (LPWSTR) LsapAllocatePrivateHeap(pSrc->Length + sizeof(WCHAR));
if (pDest->Buffer)
{
pDest->MaximumLength = pSrc->Length + sizeof(WCHAR);
RtlCopyMemory(
pDest->Buffer,
pSrc->Buffer,
pSrc->Length
);
pDest->Buffer[pSrc->Length/sizeof(WCHAR)] = L'\0';
pDest->Length = pSrc->Length;
return(STATUS_SUCCESS);
} else
{
pDest->MaximumLength = 0;
return(STATUS_INSUFFICIENT_RESOURCES);
}
}
//+-------------------------------------------------------------------------
//
// Function: LsapFreeString
//
// Synopsis: Frees a string allocated by LsapDuplicateString
//
// Effects:
//
// Arguments: String - Optionally points to a UNICODE_STRING
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
VOID
LsapFreeString(
IN OPTIONAL PUNICODE_STRING String
)
{
if (ARGUMENT_PRESENT(String) && String->Buffer != NULL)
{
LsapFreeLsaHeap(String->Buffer);
String->Buffer = NULL;
}
}
//+-------------------------------------------------------------------------
//
// Function: LsapThreadBase
//
// Synopsis: Thread start routine
//
// Effects: Sets up all the TLS data for a thread, then executes
// the "real" base function.
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
void
LsapThreadBase(
PLSAP_THREAD_START pThread)
{
NTSTATUS Status;
PSession pSession;
LSAP_THREAD_START tStart = *pThread;
LsapFreePrivateHeap(pThread);
SetCurrentSession( pDefaultSession );
SpmpReferenceSession( pDefaultSession );
// Initialize Session information:
SetCurrentPackageId(tStart.dwPackageID);
DebugLog((DEB_TRACE, "Thread start @%x\n", tStart.lpStart));
// If this is a debug build, all threads are started in a protective
// try-except block. For retail, only threads started by packages
// will be run this way. Retail builds, we assume that the SPM is
// debugged and running correctly, and threads started this way can
// be trusted.
#if DBG == 0
if (tStart.dwPackageID != SPMGR_ID)
#endif
{
__try
{
tStart.lpStart(tStart.lpParm);
}
__except (SP_EXCEPTION)
{
Status = GetExceptionCode();
Status = SPException(Status, tStart.dwPackageID);
}
}
#if DBG == 0
else
{
tStart.lpStart(tStart.lpParm);
}
#endif
pSession = GetCurrentSession();
SpmpDereferenceSession( pSession );
if ( pSession != pDefaultSession )
{
DebugLog(( DEB_ERROR, "Thread completing in session other than default!\n" ));
}
DebugLog((DEB_TRACE, "Thread exit\n" ));
}
//+-------------------------------------------------------------------------
//
// Function: LsapCreateThread
//
// Synopsis: Creates a thread with all the proper Tls stuff
//
// Effects:
//
// Arguments: same as CreateThread
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
HANDLE NTAPI
LsapCreateThread(
IN LPSECURITY_ATTRIBUTES lpSA,
IN ULONG cbStack,
IN LPTHREAD_START_ROUTINE lpStart,
IN LPVOID lpvThreadParm,
IN ULONG fCreate,
OUT PULONG lpTID
)
{
PLSAP_THREAD_START pThread;
HANDLE hThread;
pThread = (PLSAP_THREAD_START) LsapAllocatePrivateHeap(sizeof(LSAP_THREAD_START));
if (pThread == NULL)
{
DebugLog((DEB_ERROR, "LsapCreateThread, memory allocation failed.\n"));
SetLastError(ERROR_OUTOFMEMORY);
return(NULL);
}
pThread->lpStart = lpStart;
pThread->lpParm = lpvThreadParm;
pThread->dwPackageID = GetCurrentPackageId();
hThread = CreateThread(
lpSA,
cbStack,
(LPTHREAD_START_ROUTINE) LsapThreadBase,
pThread,
fCreate,
lpTID
);
if( hThread == NULL )
{
DebugLog((DEB_ERROR, "LsapCreateThread, failed thread creation (%lu)\n", GetLastError()));
LsapFreePrivateHeap( pThread );
}
return hThread;
}
//+-------------------------------------------------------------------------
//
// Function: LsapGetClientInfo
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
LsapGetClientInfo(
OUT PSECPKG_CLIENT_INFO ClientInfo
)
{
PSession pSession = GetCurrentSession();
PPORT_MESSAGE pMessage;
HANDLE ClientToken;
NTSTATUS Status;
NTSTATUS ExtraStatus ;
TOKEN_STATISTICS TokenStats;
ULONG TokenStatsSize = sizeof(TOKEN_STATISTICS);
PLSA_CALL_INFO CallInfo ;
HANDLE Thread = NULL ;
OBJECT_ATTRIBUTES NullAttributes = { 0 };
KERNEL_USER_TIMES Times ;
RtlZeroMemory(
ClientInfo,
sizeof(SECPKG_CLIENT_INFO)
);
if ( !pSession )
{
pSession = pDefaultSession ;
}
//
// First, fill in the easy stuff from the session record. If we are
// running with the LSA session then we want to ignore the LPC message
// because it may be referring to somebody elses message (we may be
// being called on behalf of someone doing authenticated RPC in response
// to an LPC request)
//
CallInfo = LsapGetCurrentCall();
if ( CallInfo )
{
ClientInfo->ProcessID = CallInfo->CallInfo.ProcessId ;
ClientInfo->ThreadID = CallInfo->CallInfo.ThreadId ;
if (((pSession->fSession & SESFLAG_TCB_PRIV) != 0) ||
((pSession->fSession & SESFLAG_KERNEL) != 0))
{
ClientInfo->HasTcbPrivilege = TRUE;
}
else
{
ClientInfo->HasTcbPrivilege = FALSE;
}
if(CallInfo->CachedTokenInfo)
{
ClientInfo->LogonId = CallInfo->LogonId;
ClientInfo->Restricted = CallInfo->Restricted;
ClientInfo->Impersonating = CallInfo->Impersonating;
ClientInfo->ImpersonationLevel = CallInfo->ImpersonationLevel;
return STATUS_SUCCESS;
}
Status = LsapImpersonateClient();
if ( !NT_SUCCESS( Status ) )
{
if ( Status == STATUS_BAD_IMPERSONATION_LEVEL )
{
Status = NtOpenThread(
&Thread,
THREAD_QUERY_INFORMATION,
&NullAttributes,
&CallInfo->Message->pmMessage.ClientId );
}
else if ( ( Status == STATUS_REPLY_MESSAGE_MISMATCH ) ||
( Status == STATUS_INVALID_CID ) ||
( Status == STATUS_PORT_DISCONNECTED ) )
{
//
// This is a special status returned by the LPC layer to indicate
// that the client thread has disappeared, or the process is
// terminating. Set a flag to indicate this:
//
ClientInfo->ClientFlags |= SECPKG_CLIENT_THREAD_TERMINATED ;
CallInfo->CallInfo.Attributes |= SECPKG_CALL_THREAD_TERM ;
//
// Check the process. If the process has started to exit, set that
// flag as well.
//
ExtraStatus = NtQueryInformationProcess(
pSession->hProcess,
ProcessTimes,
&Times,
sizeof( Times ),
NULL );
if ( NT_SUCCESS( ExtraStatus ) )
{
if ( Times.ExitTime.QuadPart != 0 )
{
ClientInfo->ClientFlags |= SECPKG_CLIENT_PROCESS_TERMINATED ;
CallInfo->CallInfo.Attributes |= SECPKG_CALL_PROCESS_TERM ;
}
}
DebugLog(( DEB_TRACE, "Client %x.%x has terminated\n",
ClientInfo->ProcessID, ClientInfo->ThreadID ));
return STATUS_SUCCESS ;
}
}
else
{
Thread = NtCurrentThread();
}
if (!NT_SUCCESS(Status))
{
DebugLog((DEB_WARN,"Failed to impersonate client: 0x%x\n",Status));
return(Status);
}
Status = NtOpenThreadToken(
Thread,
TOKEN_QUERY,
TRUE, // use LSA security context
&ClientToken
);
if (NT_SUCCESS(Status))
{
ClientInfo->Restricted = ( IsTokenRestricted(ClientToken) != 0 );
Status = NtQueryInformationToken(
ClientToken,
TokenStatistics,
(PVOID) &TokenStats,
TokenStatsSize,
&TokenStatsSize
);
NtClose(ClientToken);
if (NT_SUCCESS(Status))
{
ClientInfo->LogonId = TokenStats.AuthenticationId;
ClientInfo->Impersonating = (TokenStats.TokenType == TokenPrimary) ? FALSE : TRUE;
if( ClientInfo->Impersonating )
{
ClientInfo->ImpersonationLevel = TokenStats.ImpersonationLevel;
} else {
ClientInfo->ImpersonationLevel = SecurityImpersonation;
}
}
}
RevertToSelf();
if ( Thread != NtCurrentThread() )
{
NtClose( Thread );
}
if(NT_SUCCESS(Status))
{
CallInfo->LogonId = ClientInfo->LogonId;
CallInfo->Restricted = ClientInfo->Restricted;
CallInfo->Impersonating = ClientInfo->Impersonating;
CallInfo->ImpersonationLevel = ClientInfo->ImpersonationLevel;
CallInfo->CachedTokenInfo = TRUE;
}
return(Status);
}
else
{
ClientInfo->ProcessID = GetCurrentProcessId();
ClientInfo->ThreadID = GetCurrentThreadId();
ClientInfo->HasTcbPrivilege = TRUE;
ClientInfo->Impersonating = FALSE;
ClientInfo->ImpersonationLevel = SecurityImpersonation;
ClientInfo->LogonId = SystemLogonId;
return(STATUS_SUCCESS);
}
}
//+---------------------------------------------------------------------------
//
// Function: LsapGetCallInfo
//
// Synopsis: Gets call information
//
// Arguments: [Info] --
//
// History: 10-06-96 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
BOOLEAN
LsapGetCallInfo(
PSECPKG_CALL_INFO Info
)
{
PLSA_CALL_INFO CallInfo ;
CallInfo = LsapGetCurrentCall() ;
if ( CallInfo )
{
*Info = CallInfo->CallInfo ;
if ( CallInfo->InProcCall )
{
Info->Attributes |= SECPKG_CALL_IN_PROC ;
}
return TRUE ;
} else {
Info->ProcessId = GetCurrentProcessId();
Info->ThreadId = GetCurrentThreadId();
Info->Attributes = SECPKG_CALL_IN_PROC |
SECPKG_CALL_IS_TCB ;
Info->CallCount = 0;
return TRUE;
}
}
//+-------------------------------------------------------------------------
//
// Function: LsapMapClientBuffer
//
// Synopsis: Maps a client's SecBuffer into the caller's address space
//
// Effects: Clears the SECBUFFER_UNMAPPED field of the BufferType of
// the return SecBuffer
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes: Doesn't modify pOutput until the end, so it is o.k. to pass
// the same thing for pInput and pOutput.
//
//
//--------------------------------------------------------------------------
NTSTATUS
LsapMapClientBuffer(
IN PSecBuffer pInput,
OUT PSecBuffer pOutput
)
{
NTSTATUS Status = STATUS_SUCCESS ;
SecBuffer Output ;
Output = *pInput ;
PLSA_CALL_INFO CallInfo = LsapGetCurrentCall();
//
// If the buffer is already mapped or it doesn't exist (is NULL) we
// are done.
//
if (!(pInput->BufferType & SECBUFFER_UNMAPPED) ||
!pInput->pvBuffer)
{
return( STATUS_SUCCESS );
}
else
{
Output.BufferType &= ~SECBUFFER_UNMAPPED;
}
if ( pInput->BufferType & SECBUFFER_KERNEL_MAP )
{
//
// This one is already in process space
//
if ( ( CallInfo->CallInfo.Attributes & SECPKG_CALL_KERNEL_MODE ) == 0 )
{
//
// If this call did not come from kernel mode with
// the kernel-pool flag set, then this is an attempted
// hack on the LSA. Reject it.
//
Status = STATUS_ACCESS_VIOLATION ;
}
else
{
//
// The buffer is already in memory. Mark the call as
// using kernel-pool memory, so we allocate correctly
// on the return.
//
CallInfo->Flags |= CALL_FLAG_KERNEL_POOL ;
DebugLog((DEB_TRACE_SPECIAL, "Kernel Pool Map at %p [%x,%x]\n",
Output.pvBuffer, Output.BufferType, Output.cbBuffer ));
}
}
else
{
Output.pvBuffer = LsapAllocateLsaHeap( Output.cbBuffer );
if ( Output.pvBuffer != NULL )
{
Status = LsapCopyFromClient(
pInput->pvBuffer,
Output.pvBuffer,
Output.cbBuffer );
if ( !NT_SUCCESS( Status ) )
{
LsapFreeLsaHeap(Output.pvBuffer);
}
}
else
{
Status = STATUS_NO_MEMORY ;
}
}
if ( NT_SUCCESS( Status ) )
{
*pOutput = Output ;
}
return( Status );
}
//+-------------------------------------------------------------------------
//
// Function: LsaICallPackage
//
// Synopsis: Function to call another security package
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
extern "C"
NTSTATUS
LsaICallPackage(
IN PUNICODE_STRING AuthenticationPackage,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
)
{
return LsaICallPackageEx( AuthenticationPackage,
ProtocolSubmitBuffer, // client buffer base is same as local buffer
ProtocolSubmitBuffer,
SubmitBufferLength,
ProtocolReturnBuffer,
ReturnBufferLength,
ProtocolStatus );
}
//+-------------------------------------------------------------------------
//
// Function: LsaICallPackageEx
//
// Synopsis: Function to call another security package
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
extern "C"
NTSTATUS
LsaICallPackageEx(
IN PUNICODE_STRING AuthenticationPackage,
IN PVOID ClientBufferBase,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
)
{
NTSTATUS Status = STATUS_SUCCESS;
PLSAP_SECURITY_PACKAGE Package;
PSession OldSession;
Package = SpmpLookupPackageAndRequest(
AuthenticationPackage,
SP_ORDINAL_CALLPACKAGE
);
if (Package == NULL)
{
DebugLog((DEB_WARN,"LsapCallPackage failed: package %wZ not found\n",
AuthenticationPackage ));
Status = STATUS_NO_SUCH_PACKAGE;
goto Cleanup;
}
//
// Set the session to be the LSA's so calls to allocate memory
// will allocate in the correct process
//
OldSession = GetCurrentSession();
SetCurrentSession( pDefaultSession );
Status = Package->FunctionTable.CallPackage(
NULL,
ProtocolSubmitBuffer,
ClientBufferBase,
SubmitBufferLength,
ProtocolReturnBuffer,
ReturnBufferLength,
ProtocolStatus
);
//
// Restore our original session
//
SetCurrentSession( OldSession );
Cleanup:
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: LsaICallPackagePassthrough
//
// Synopsis: Function to call another security package for pass-through request
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
extern "C"
NTSTATUS
LsaICallPackagePassthrough(
IN PUNICODE_STRING AuthenticationPackage,
IN PVOID ClientBufferBase,
IN PVOID ProtocolSubmitBuffer,
IN ULONG SubmitBufferLength,
OUT PVOID *ProtocolReturnBuffer,
OUT PULONG ReturnBufferLength,
OUT PNTSTATUS ProtocolStatus
)
{
NTSTATUS Status = STATUS_SUCCESS;
PLSAP_SECURITY_PACKAGE Package;
PSession OldSession;
Package = SpmpLookupPackageAndRequest(
AuthenticationPackage,
SP_ORDINAL_CALLPACKAGE
);
if (Package == NULL)
{
DebugLog((DEB_WARN,"LsapCallPackage failed: package %wZ not found\n",
AuthenticationPackage ));
Status = STATUS_NO_SUCH_PACKAGE;
goto Cleanup;
}
//
// Set the session to be the LSA's so calls to allocate memory
// will allocate in the correct process
//
OldSession = GetCurrentSession();
SetCurrentSession( pDefaultSession );
Status = Package->FunctionTable.CallPackagePassthrough(
NULL,
ProtocolSubmitBuffer,
ClientBufferBase,
SubmitBufferLength,
ProtocolReturnBuffer,
ReturnBufferLength,
ProtocolStatus
);
//
// Restore our original session
//
SetCurrentSession( OldSession );
Cleanup:
return(Status);
}
extern "C"
VOID
LsaIFreeReturnBuffer(
IN PVOID Buffer
)
/*++
Routine Description:
Some of the LSA authentication services allocate memory buffers to
hold returned information. This service is used to free those buffers
when no longer needed.
Arguments:
Buffer - Supplies a pointer to the return buffer to be freed.
Return Status:
STATUS_SUCCESS - Indicates the service completed successfully.
Others - returned by NtFreeVirtualMemory().
--*/
{
SIZE_T Length;
Length = 0;
DebugLog(( DEB_TRACE_HELPERS, "LsaIFreeReturnBuffer - freeing VM at %x\n", Buffer ));
if (((ULONG_PTR) Buffer & 0xfff) != 0)
{
DbgPrint("Freeing non-page address: %p\n",Buffer);
DbgBreakPoint();
}
NtFreeVirtualMemory(
NtCurrentProcess(),
&Buffer,
&Length,
MEM_RELEASE
);
}
NTSTATUS
LsaClientCallback(
PCHAR Callback,
ULONG_PTR Argument1,
ULONG_PTR Argument2,
PSecBuffer Input,
PSecBuffer Output
)
{
PSession Session ;
ULONG Type ;
Session = GetCurrentSession();
if ( !Session )
{
Session = pDefaultSession ;
}
if ( !Session->hPort &&
((Session->fSession & SESFLAG_DEFAULT) == 0) )
{
return SEC_E_INVALID_HANDLE ;
}
if ( (ULONG_PTR) Callback < 0x00010000 )
{
Type = SPM_CALLBACK_PACKAGE ;
}
else
{
Type = SPM_CALLBACK_EXPORT ;
}
return LsapClientCallback( Session,
Type,
Callback,
(PVOID) Argument1,
(PVOID) Argument2,
Input,
Output );
}
#if 0
BOOL
LsapCaptureAuthData(
PVOID pvAuthData,
BOOLEAN DesiredAnsi,
PSEC_WINNT_AUTH_IDENTITY * AuthData
)
{
SEC_WINNT_AUTH_IDENTITY Auth ;
PSEC_WINNT_AUTH_IDENTITY pAuth ;
SECURITY_STATUS Status ;
ULONG TotalSize ;
PWSTR CurrentW ;
PSTR CurrentA ;
PVOID Current ;
PWSTR ConvertBufferW ;
PSTR ConvertBufferA ;
PVOID Convert;
ULONG Longest ;
ZeroMemory( &Auth, sizeof( Auth ) );
Status = LsapCopyFromClientBuffer(
NULL,
sizeof( SEC_WINNT_AUTH_IDENTITY ),
& Auth,
pvAuthData );
if ( !NT_SUCCESS( Status ) )
{
return FALSE ;
}
Longest = Auth.UserLength ;
Longest = max( Longest, Auth.DomainLength );
Longest = max( Longest, Auth.PasswordLength );
Longest = (Longest + 1) * sizeof(WCHAR);
//
// Always go with the extra, so we can handle DBCS
//
TotalSize = sizeof( SEC_WINNT_AUTH_IDENTITY ) +
( Auth.UserLength + 1 +
Auth.DomainLength + 1 +
Auth.PasswordLength + 1 ) * sizeof( WCHAR );
pAuth = (PSEC_WINNT_AUTH_IDENTITY) LsapAllocateLsaHeap( TotalSize );
if ( !pAuth )
{
return FALSE ;
}
ConvertBufferW = NULL ;
ConvertBufferA = NULL ;
Convert = NULL ;
CurrentA = NULL ;
CurrentW = NULL ;
if ( Auth.Flags & SEC_WINNT_AUTH_IDENTITY_ANSI )
{
if ( !DesiredAnsi )
{
ConvertBufferA = (PSTR) LocalAlloc( LMEM_FIXED, Longest );
Convert = ConvertBufferA ;
CurrentW = (PWSTR) (pAuth + 1);
}
else
{
CurrentA = (PSTR) (pAuth + 1);
}
}
else
{
if ( DesiredAnsi )
{
ConvertBufferW = (PWSTR) LocalAlloc( LMEM_FIXED, Longest );
CurrentA = (PSTR) (pAuth + 1);
}
else
{
CurrentW = (PWSTR) pAuth + 1);
}
}
pAuth->Flags = Auth.Flags ;
CurrentW = (PWSTR) (pAuth + 1);
CurrentA = (PSTR) (pAuth + 1);
Current = CurrentW ;
if ( Auth.User )
{
pAuth->User = Current ;
Status = LsapCopyFromClientBuffer(
NULL,
(Auth.Flags & SEC_WINNT_AUTH_IDENTITY_ANSI ?
( Auth.UserLength + 1 ) :
( (Auth.UserLength + 1 ) * sizeof( WCHAR ) ) ),
(Convert ? Convert : Current ),
Auth.User );
if ( Convert )
{
if ( ConvertBufferA )
{
}
}
else
{
pAuth->UserLength = Auth.UserLength ;
}
Status = LsaTable->CopyFromClientBuffer(
NULL,
(Auth.UserLength + 1) * sizeof(WCHAR) ,
pAuth->User,
Auth.User );
if ( !NT_SUCCESS( Status ) )
{
goto Error_Cleanup ;
}
Current += Auth.UserLength + 1;
}
if ( Auth.Domain )
{
pAuth->Domain = Current ;
pAuth->DomainLength = Auth.DomainLength ;
Status = LsaTable->CopyFromClientBuffer(
NULL,
(Auth.DomainLength + 1) * sizeof( WCHAR ),
pAuth->Domain,
Auth.Domain );
if ( !NT_SUCCESS( Status ) )
{
goto Error_Cleanup ;
}
Current += Auth.DomainLength + 1;
}
if ( Auth.Password )
{
pAuth->Password = Current ;
pAuth->PasswordLength = Auth.PasswordLength ;
Status = LsaTable->CopyFromClientBuffer(
NULL,
(Auth.PasswordLength + 1) * sizeof( WCHAR ),
pAuth->Password,
Auth.Password );
if ( !NT_SUCCESS( Status ) )
{
goto Error_Cleanup ;
}
Current += Auth.PasswordLength + 1;
}
*AuthData = pAuth ;
return TRUE ;
Error_Cleanup:
LocalFree( pAuth );
return FALSE ;
}
#endif
//+-------------------------------------------------------------------------
//
// Function: LsapUpdateCredentials
//
// Synopsis: This function provides a mechanism for one package to notify
// another package that the credentials for a logon session
// have changed.
//
// Effects:
//
// Arguments: PrimaryCredentials - Primary information about the user.
// All fields may be NULL but the LogonId
// Credentials - Array of credentials for different packages
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS
LsapUpdateCredentials(
IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
IN OPTIONAL PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials
)
{
return(LsapUpdateCredentialsWorker(
(SECURITY_LOGON_TYPE) 0, // no logon type
NULL, // no account name
PrimaryCredentials,
Credentials ));
}
//+-------------------------------------------------------------------------
//
// Function: LsapUpdateCredentialsWorker
//
// Synopsis: Worker function for updated credentials - calls all package
// with specified credentials
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS
LsapUpdateCredentialsWorker(
IN SECURITY_LOGON_TYPE LogonType,
IN PUNICODE_STRING AccountName,
IN PSECPKG_PRIMARY_CRED PrimaryCredentials,
IN OPTIONAL PSECPKG_SUPPLEMENTAL_CRED_ARRAY Credentials
)
{
NTSTATUS Status;
ULONG_PTR CurrentPackageId;
PLSAP_SECURITY_PACKAGE SupplementalPackage;
SupplementalPackage = SpmpIteratePackagesByRequest( NULL, SP_ORDINAL_ACCEPTCREDS );
CurrentPackageId = GetCurrentPackageId();
while (SupplementalPackage)
{
if (SupplementalPackage->dwPackageID != CurrentPackageId)
{
ULONG Index;
PSECPKG_SUPPLEMENTAL_CRED SuppCreds;
//
// For all packages, do the accept call so the
// package can associate the credentials with
// the logon session.
//
DebugLog((DEB_TRACE_WAPI, "Whacking package %ws with %x:%x = %wZ\n",
SupplementalPackage->Name.Buffer,
PrimaryCredentials->LogonId.HighPart, PrimaryCredentials->LogonId.LowPart,
AccountName));
SetCurrentPackageId( SupplementalPackage->dwPackageID );
//
// Find any supplmental credentials
//
SuppCreds = NULL;
if (Credentials != NULL)
{
for (Index = 0; Index < Credentials->CredentialCount ; Index++ ) {
if (RtlEqualUnicodeString(
&Credentials->Credentials[Index].PackageName,
&SupplementalPackage->Name,
TRUE))
{
SuppCreds = &Credentials->Credentials[Index];
break;
}
}
}
__try
{
Status = SupplementalPackage->FunctionTable.AcceptCredentials(
LogonType,
AccountName,
PrimaryCredentials,
SuppCreds
);
}
__except (SP_EXCEPTION)
{
Status = GetExceptionCode();
Status = SPException(Status, SupplementalPackage->dwPackageID);
}
// Note: if an exception occurs, we don't fail the logon, we just
// do the magic on the package that blew. If the package blows,
// the other packages may succeed, and so the user may not be able
// to use that provider.
}
SupplementalPackage = SpmpIteratePackagesByRequest(
SupplementalPackage,
SP_ORDINAL_ACCEPTCREDS
);
}
return(STATUS_SUCCESS);
}