Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

1181 lines
30 KiB

//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 1992 - 1996
//
// File: kerberos.cxx
//
// Contents: main entrypoints for the Kerberos security package
//
//
// History: 16-April-1996 Created MikeSw
// 26-Sep-1998 ChandanS
// Added more debugging support etc.
//
//------------------------------------------------------------------------
#include <kerb.hxx>
#define KERBP_ALLOCATE
#include <kerbp.h>
#include <userapi.h>
#include <safeboot.h>
#include <spncache.h>
#include <wow64t.h>
#ifdef RETAIL_LOG_SUPPORT
static TCHAR THIS_FILE[]=TEXT(__FILE__);
HANDLE g_hParamEvent = NULL;
HKEY g_hKeyParams = NULL;
#endif
#ifndef WIN32_CHICAGO
#ifdef RETAIL_LOG_SUPPORT
DEFINE_DEBUG2(Kerb);
extern DWORD KSuppInfoLevel; // needed to adjust values for common2 dir
HANDLE g_hWait = NULL;
DEBUG_KEY KerbDebugKeys[] = { {DEB_ERROR, "Error"},
{DEB_WARN, "Warn"},
{DEB_TRACE, "Trace"},
{DEB_TRACE_API, "API"},
{DEB_TRACE_CRED, "Cred"},
{DEB_TRACE_CTXT, "Ctxt"},
{DEB_TRACE_LSESS, "LSess"},
{DEB_TRACE_LOGON, "Logon"},
{DEB_TRACE_KDC, "KDC"},
{DEB_TRACE_CTXT2, "Ctxt2"},
{DEB_TRACE_TIME, "Time"},
{DEB_TRACE_LOCKS, "Locks"},
{DEB_TRACE_LEAKS, "Leaks"},
{DEB_TRACE_SPN_CACHE, "SPN"},
{DEB_TRACE_LOOPBACK, "LoopBack"},
{DEB_TRACE_U2U, "U2U"},
{0, NULL},
};
VOID
KerbInitializeDebugging(
VOID
)
{
KerbInitDebug(KerbDebugKeys);
}
////////////////////////////////////////////////////////////////////
//
// Name: KerbGetKerbRegParams
//
// Synopsis: Gets the debug paramaters from the registry
//
// Arguments: HKEY to HKLM/System/CCS/LSA/Kerberos
//
// Notes: Sets KerbInfolevel for debug spew
//
void
KerbGetKerbRegParams(HKEY ParamKey)
{
DWORD cbType, tmpInfoLevel = KerbInfoLevel, cbSize;
DWORD dwErr;
cbSize = sizeof(tmpInfoLevel);
dwErr = RegQueryValueExW(
ParamKey,
WSZ_KERBDEBUGLEVEL,
NULL,
&cbType,
(LPBYTE)&tmpInfoLevel,
&cbSize
);
if (dwErr != ERROR_SUCCESS)
{
if (dwErr == ERROR_FILE_NOT_FOUND)
{
// no registry value is present, don't want info
// so reset to defaults
#if DBG
KSuppInfoLevel = KerbInfoLevel = DEB_ERROR;
#else // fre
KSuppInfoLevel = KerbInfoLevel = 0;
#endif
}else{
D_DebugLog((DEB_WARN, "Failed to query DebugLevel: 0x%x\n", dwErr));
}
}
// TBD: Validate flags?
KSuppInfoLevel = KerbInfoLevel = tmpInfoLevel;
cbSize = sizeof(tmpInfoLevel);
dwErr = RegQueryValueExW(
ParamKey,
WSZ_FILELOG,
NULL,
&cbType,
(LPBYTE)&tmpInfoLevel,
&cbSize
);
if (dwErr == ERROR_SUCCESS)
{
KerbSetLoggingOption((BOOL) tmpInfoLevel);
}
else if (dwErr == ERROR_FILE_NOT_FOUND)
{
KerbSetLoggingOption(FALSE);
}
cbSize = sizeof(tmpInfoLevel);
dwErr = RegQueryValueExW(
ParamKey,
KERB_PARAMETER_RETRY_PDC,
NULL,
&cbType,
(LPBYTE)&tmpInfoLevel,
&cbSize
);
if (dwErr == ERROR_SUCCESS)
{
if( tmpInfoLevel != 0 )
{
KerbGlobalRetryPdc = TRUE;
} else {
KerbGlobalRetryPdc = FALSE;
}
}
else if (dwErr == ERROR_FILE_NOT_FOUND)
{
KerbGlobalRetryPdc = FALSE;
}
return;
}
////////////////////////////////////////////////////////////////////
//
// Name: KerbWaitCleanup
//
// Synopsis: Cleans up wait from KerbWatchParamKey()
//
// Arguments: <none>
//
// Notes: .
//
void
KerbWaitCleanup()
{
NTSTATUS Status = STATUS_SUCCESS;
if (NULL != g_hWait) {
Status = RtlDeregisterWait(g_hWait);
if (NT_SUCCESS(Status) && NULL != g_hParamEvent ) {
CloseHandle(g_hParamEvent);
}
}
}
////////////////////////////////////////////////////////////////////
//
// Name: KerbWatchParamKey
//
// Synopsis: Sets RegNotifyChangeKeyValue() on param key, initializes
// debug level, then utilizes thread pool to wait on
// changes to this registry key. Enables dynamic debug
// level changes, as this function will also be callback
// if registry key modified.
//
// Arguments: pCtxt is actually a HANDLE to an event. This event
// will be triggered when key is modified.
//
// Notes: .
//
VOID
KerbWatchKerbParamKey(PVOID pCtxt,
BOOLEAN fWaitStatus)
{
NTSTATUS Status;
LONG lRes = ERROR_SUCCESS;
if (NULL == g_hKeyParams) // first time we've been called.
{
lRes = RegOpenKeyExW(
HKEY_LOCAL_MACHINE,
KERB_PARAMETER_PATH,
0,
KEY_READ,
&g_hKeyParams);
if (ERROR_SUCCESS != lRes)
{
D_DebugLog((DEB_WARN,"Failed to open kerberos key: 0x%x\n", lRes));
goto Reregister;
}
}
if (NULL != g_hWait)
{
Status = RtlDeregisterWait(g_hWait);
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_WARN, "Failed to Deregister wait on registry key: 0x%x\n", Status));
goto Reregister;
}
}
lRes = RegNotifyChangeKeyValue(
g_hKeyParams,
FALSE,
REG_NOTIFY_CHANGE_LAST_SET,
(HANDLE) pCtxt,
TRUE);
if (ERROR_SUCCESS != lRes)
{
D_DebugLog((DEB_ERROR,"Debug RegNotify setup failed: 0x%x\n", lRes));
// we're tanked now. No further notifications, so get this one
}
KerbGetKerbRegParams(g_hKeyParams);
Reregister:
Status = RtlRegisterWait(&g_hWait,
(HANDLE) pCtxt,
KerbWatchKerbParamKey,
(HANDLE) pCtxt,
INFINITE,
WT_EXECUTEINPERSISTENTIOTHREAD|
WT_EXECUTEONLYONCE);
}
#endif // RETAIL_LOG_SUPPORT
NTSTATUS NTAPI
SpCleanup(
VOID
);
BOOL
DllMain(
HINSTANCE Module,
ULONG Reason,
PVOID Context
)
{
if ( Reason == DLL_PROCESS_ATTACH )
{
DisableThreadLibraryCalls( Module );
}
else if ( Reason == DLL_PROCESS_DETACH )
{
#if RETAIL_LOG_SUPPORT
KerbUnloadDebug();
KerbWaitCleanup();
#endif
}
return TRUE ;
}
//+-------------------------------------------------------------------------
//
// Function: SpLsaModeInitialize
//
// Synopsis: This function is called by the LSA when this DLL is loaded.
// It returns security package function tables for all
// security packages in the DLL.
//
// Effects:
//
// Arguments: LsaVersion - Version number of the LSA
// PackageVersion - Returns version number of the package
// Tables - Returns array of function tables for the package
// TableCount - Returns number of entries in array of
// function tables.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
SpLsaModeInitialize(
IN ULONG LsaVersion,
OUT PULONG PackageVersion,
OUT PSECPKG_FUNCTION_TABLE * Tables,
OUT PULONG TableCount
)
{
KerbInitializeDebugging();
#ifdef RETAIL_LOG_SUPPORT
g_hParamEvent = CreateEvent(NULL,
FALSE,
FALSE,
NULL);
if (NULL == g_hParamEvent)
{
D_DebugLog((DEB_WARN, "CreateEvent for ParamEvent failed - 0x%x\n", GetLastError()));
} else {
KerbWatchKerbParamKey(g_hParamEvent, FALSE);
}
#endif // RETAIL_LOG_SUPPORT
if (LsaVersion != SECPKG_INTERFACE_VERSION)
{
D_DebugLog((DEB_ERROR,"Invalid LSA version: %d. %ws, line %d\n",LsaVersion, THIS_FILE, __LINE__));
return(STATUS_INVALID_PARAMETER);
}
KerberosFunctionTable.InitializePackage = NULL;;
KerberosFunctionTable.LogonUser = NULL;
KerberosFunctionTable.CallPackage = LsaApCallPackage;
KerberosFunctionTable.LogonTerminated = LsaApLogonTerminated;
KerberosFunctionTable.CallPackageUntrusted = LsaApCallPackageUntrusted;
KerberosFunctionTable.LogonUserEx2 = LsaApLogonUserEx2;
KerberosFunctionTable.Initialize = SpInitialize;
KerberosFunctionTable.Shutdown = SpShutdown;
KerberosFunctionTable.GetInfo = SpGetInfo;
KerberosFunctionTable.AcceptCredentials = SpAcceptCredentials;
KerberosFunctionTable.AcquireCredentialsHandle = SpAcquireCredentialsHandle;
KerberosFunctionTable.FreeCredentialsHandle = SpFreeCredentialsHandle;
KerberosFunctionTable.QueryCredentialsAttributes = SpQueryCredentialsAttributes;
KerberosFunctionTable.SaveCredentials = SpSaveCredentials;
KerberosFunctionTable.GetCredentials = SpGetCredentials;
KerberosFunctionTable.DeleteCredentials = SpDeleteCredentials;
KerberosFunctionTable.InitLsaModeContext = SpInitLsaModeContext;
KerberosFunctionTable.AcceptLsaModeContext = SpAcceptLsaModeContext;
KerberosFunctionTable.DeleteContext = SpDeleteContext;
KerberosFunctionTable.ApplyControlToken = SpApplyControlToken;
KerberosFunctionTable.GetUserInfo = SpGetUserInfo;
KerberosFunctionTable.GetExtendedInformation = SpGetExtendedInformation;
KerberosFunctionTable.QueryContextAttributes = SpQueryLsaModeContextAttributes;
KerberosFunctionTable.CallPackagePassthrough = LsaApCallPackagePassthrough;
*PackageVersion = SECPKG_INTERFACE_VERSION;
*TableCount = 1;
*Tables = &KerberosFunctionTable;
// initialize event tracing (a/k/a WMI tracing, software tracing)
KerbInitializeTrace();
return(STATUS_SUCCESS);
}
#endif // WIN32_CHICAGO
//+-------------------------------------------------------------------------
//
// Function: SpInitialize
//
// Synopsis: Initializes the Kerberos package
//
// Effects:
//
// Arguments: PackageId - Contains ID for this package assigned by LSA
// Parameters - Contains machine-specific information
// FunctionTable - Contains table of LSA helper routines
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
SpInitialize(
IN ULONG_PTR PackageId,
IN PSECPKG_PARAMETERS Parameters,
IN PLSA_SECPKG_FUNCTION_TABLE FunctionTable
)
{
NTSTATUS Status;
UNICODE_STRING TempUnicodeString;
#ifndef WIN32_CHICAGO
WCHAR SafeBootEnvVar[sizeof(SAFEBOOT_MINIMAL_STR_W) + sizeof(WCHAR)];
#endif // WIN32_CHICAGO
UNICODE_STRING DnsString = {0};;
#ifdef WIN32_CHICAGO
PKERB_LOGON_SESSION LogonSession = NULL;
#endif // WIN32_CHICAGO
#ifndef WIN32_CHICAGO
RtlInitializeResource(&KerberosGlobalResource);
#endif // WIN32_CHICAGO
KerberosPackageId = PackageId;
LsaFunctions = FunctionTable;
#ifndef WIN32_CHICAGO
KerberosState = KerberosLsaMode;
#else // WIN32_CHICAGO
KerberosState = KerberosUserMode;
#endif // WIN32_CHICAGO
RtlInitUnicodeString(
&KerbPackageName,
MICROSOFT_KERBEROS_NAME_W
);
#ifndef WIN32_CHICAGO
// Check is we are in safe boot.
//
// Does environment variable exist
//
RtlZeroMemory( SafeBootEnvVar, sizeof( SafeBootEnvVar ) );
KerbGlobalSafeModeBootOptionPresent = FALSE;
if ( GetEnvironmentVariable(L"SAFEBOOT_OPTION", SafeBootEnvVar, sizeof(SafeBootEnvVar)/sizeof(SafeBootEnvVar[0]) ) )
{
if ( !wcscmp( SafeBootEnvVar, SAFEBOOT_MINIMAL_STR_W ) )
{
KerbGlobalSafeModeBootOptionPresent = TRUE;
}
}
#endif // WIN32_CHICAGO
Status = KerbInitializeEvents();
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
//
// Init data for the kdc calling routine
//
#ifndef WIN32_CHICAGO
Status = KerbInitKdcData();
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
//
// init global LSA policy handle.
//
Status = LsaIOpenPolicyTrusted(
&KerbGlobalPolicyHandle
);
if(!NT_SUCCESS(Status))
{
goto Cleanup;
}
#endif // WIN32_CHICAGO
//
// Get information about encryption
//
if ((Parameters->MachineState & SECPKG_STATE_ENCRYPTION_PERMITTED) != 0)
{
KerbGlobalEncryptionPermitted = TRUE;
}
if ((Parameters->MachineState & SECPKG_STATE_STRONG_ENCRYPTION_PERMITTED) != 0)
{
KerbGlobalStrongEncryptionPermitted = TRUE;
}
//
// Get our global role
//
if ((Parameters->MachineState & SECPKG_STATE_DOMAIN_CONTROLLER) != 0)
{
//
// We will behave like a member workstation/server until the DS
// says we are ready to act as a DC
//
KerbGlobalRole = KerbRoleWorkstation;
}
else if ((Parameters->MachineState & SECPKG_STATE_WORKSTATION) != 0)
{
KerbGlobalRole = KerbRoleWorkstation;
}
else
{
KerbGlobalRole = KerbRoleStandalone;
}
//
// Fill in various useful constants
//
KerbSetTime(&KerbGlobalWillNeverTime, MAXTIMEQUADPART);
KerbSetTime(&KerbGlobalHasNeverTime, 0);
//
// compute blank password hashes.
//
Status = RtlCalculateLmOwfPassword( "", &KerbGlobalNullLmOwfPassword );
ASSERT( NT_SUCCESS(Status) );
RtlInitUnicodeString(&TempUnicodeString, NULL);
Status = RtlCalculateNtOwfPassword(&TempUnicodeString,
&KerbGlobalNullNtOwfPassword);
ASSERT( NT_SUCCESS(Status) );
RtlInitUnicodeString(
&KerbGlobalKdcServiceName,
KDC_PRINCIPAL_NAME
);
//
// At some point we may want to read the registry here to
// find out whether we need to enforce times, currently times
// are always enforced.
//
KerbGlobalEnforceTime = FALSE;
//
// Get the machine Name
//
Status = KerbSetComputerName();
if( !NT_SUCCESS(Status) )
{
D_DebugLog((DEB_ERROR,"KerbSetComputerName failed\n"));
goto Cleanup;
}
//
// Initialize the logon session list. This has to be done because
// KerbSetDomainName will try to acess the logon session list
//
Status = KerbInitLogonSessionList();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize logon session list: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__ ));
goto Cleanup;
}
Status = KerbInitNetworkServiceLoopbackDetection();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR, "Failed to initialize network service loopback detection: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__ ));
goto Cleanup;
}
Status = KerbCreateSKeyTimer();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR, "Failed to initialize network service session key list timer: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__ ));
goto Cleanup;
}
Status = KerbInitTicketHandling();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize ticket handling: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__));
goto Cleanup;
}
#ifndef WIN32_CHICAGO
Status = KerbInitializeLogonSidCache();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize sid cache: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
goto Cleanup;
}
#endif
//
// Update all global structures referencing the domain name
//
Status = KerbSetDomainName(
&Parameters->DomainName,
&Parameters->DnsDomainName,
Parameters->DomainSid,
Parameters->DomainGuid
);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
//
// Initialize the internal Kerberos lists
//
Status = KerbInitCredentialList();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize credential list: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__ ));
goto Cleanup;
}
Status = KerbInitContextList();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize context list: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__ ));
goto Cleanup;
}
Status = KerbInitTicketCaching();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize ticket cache: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__));
goto Cleanup;
}
Status = KerbInitBindingCache();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize binding cache: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__));
goto Cleanup;
}
Status = KerbInitSpnCache();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize SPN cache: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__));
goto Cleanup;
}
Status = KerbInitializeMitRealmList();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize MIT realm list: 0x%x. %ws, line %d\n",
Status, THIS_FILE, __LINE__ ));
goto Cleanup;
}
#ifndef WIN32_CHICAGO
Status = KerbInitializePkinit();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize PKINT: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
goto Cleanup;
}
#endif // WIN32_CHICAGO
Status = KerbInitializeSockets(
MAKEWORD(1,1), // we want version 1.1
1, // we need at least 1 socket
&KerbGlobalNoTcpUdp
);
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR,"Failed to initialize sockets: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
goto Cleanup;
}
#ifndef WIN32_CHICAGO
Status = KerbRegisterForDomainChange();
if (!NT_SUCCESS(Status))
{
D_DebugLog((DEB_ERROR, "Failed to register for domain change notification: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
goto Cleanup;
}
//
// Check to see if there is a CSP registered for replacing the StringToKey calculation
//
CheckForOutsideStringToKey();
//
// Register to update the machine sid cache
//
KerbWaitGetMachineSid();
//
// See if there are any "join hints" to process
//
ReadInitialDcRecord(
&KerbGlobalInitialDcRecord,
&KerbGlobalInitialDcAddressType,
&KerbGlobalInitialDcFlags
);
#endif // WIN32_CHICAGO
KerbGlobalSocketsInitialized = TRUE;
KerbGlobalInitialized = TRUE;
Cleanup:
KerbFreeString(
&DnsString
);
//
// If we failed to initialize, shutdown
//
if (!NT_SUCCESS(Status))
{
SpCleanup();
}
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: SpCleanup
//
// Synopsis: Function to shutdown the Kerberos package.
//
// Effects: Forces the freeing of all credentials, contexts and
// logon sessions and frees all global data
//
// Arguments: none
//
// Requires:
//
// Returns:
//
// Notes: STATUS_SUCCESS in all cases
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
SpCleanup(
VOID
)
{
KerbGlobalInitialized = FALSE;
#ifndef WIN32_CHICAGO
KerbUnregisterForDomainChange();
#endif // WIN32_CHICAGO
KerbFreeLogonSessionList();
KerbFreeContextList();
KerbFreeTicketCache();
// KerbFreeCredentialList();
KerbFreeNetworkServiceSKeyListAndLock();
KerbFreeSKeyTimer();
KerbFreeString(&KerbGlobalDomainName);
KerbFreeString(&KerbGlobalDnsDomainName);
KerbFreeString(&KerbGlobalMachineName);
KerbFreeString((PUNICODE_STRING) &KerbGlobalKerbMachineName);
KerbFreeString(&KerbGlobalMachineServiceName);
KerbFreeKdcName(&KerbGlobalInternalMachineServiceName);
KerbFreeKdcName(&KerbGlobalMitMachineServiceName);
KerbCleanupTicketHandling();
#ifndef WIN32_CHICAGO
if( KerbGlobalPolicyHandle != NULL )
{
LsarClose( &KerbGlobalPolicyHandle );
KerbGlobalPolicyHandle = NULL;
}
if (KerbGlobalDomainSid != NULL)
{
KerbFree(KerbGlobalDomainSid);
}
#endif // WIN32_CHICAGO
if (KerbGlobalSocketsInitialized)
{
KerbCleanupSockets();
}
KerbCleanupBindingCache(FALSE);
KerbUninitializeMitRealmList();
#ifndef WIN32_CHICAGO
KerbFreeKdcData();
// RtlDeleteResource(&KerberosGlobalResource);
#endif // WIN32_CHICGAO
KerbShutdownEvents();
return(STATUS_SUCCESS);
}
//+-------------------------------------------------------------------------
//
// Function: SpShutdown
//
// Synopsis: Exported function to shutdown the Kerberos package.
//
// Effects: Forces the freeing of all credentials, contexts and
// logon sessions and frees all global data
//
// Arguments: none
//
// Requires:
//
// Returns:
//
// Notes: STATUS_SUCCESS in all cases
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
SpShutdown(
VOID
)
{
#if 0
SpCleanup();
#endif
return(STATUS_SUCCESS);
}
#ifndef WIN32_CHICAGO
//+-------------------------------------------------------------------------
//
// Function: SpGetInfo
//
// Synopsis: Returns information about the package
//
// Effects: returns pointers to global data
//
// Arguments: PackageInfo - Receives kerberos package information
//
// Requires:
//
// Returns: STATUS_SUCCESS in all cases
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
SpGetInfo(
OUT PSecPkgInfo PackageInfo
)
{
PackageInfo->wVersion = SECURITY_SUPPORT_PROVIDER_INTERFACE_VERSION;
PackageInfo->wRPCID = RPC_C_AUTHN_GSS_KERBEROS;
PackageInfo->fCapabilities = KERBEROS_CAPABILITIES;
PackageInfo->cbMaxToken = KerbGlobalMaxTokenSize;
PackageInfo->Name = KERBEROS_PACKAGE_NAME;
PackageInfo->Comment = KERBEROS_PACKAGE_COMMENT;
return(STATUS_SUCCESS);
}
//+-------------------------------------------------------------------------
//
// Function: SpGetExtendedInformation
//
// Synopsis: returns additional information about the package
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS
SpGetExtendedInformation(
IN SECPKG_EXTENDED_INFORMATION_CLASS Class,
OUT PSECPKG_EXTENDED_INFORMATION * ppInformation
)
{
NTSTATUS Status = STATUS_SUCCESS;
PSECPKG_EXTENDED_INFORMATION Information = NULL ;
PSECPKG_SERIALIZED_OID SerializedOid;
ULONG Size ;
switch(Class) {
case SecpkgGssInfo:
DsysAssert(gss_mech_krb5_new->length >= 2);
DsysAssert(gss_mech_krb5_new->length < 127);
//
// We need to leave space for the oid and the BER header, which is
// 0x6 and then the length of the oid.
//
Information = (PSECPKG_EXTENDED_INFORMATION)
KerbAllocate(sizeof(SECPKG_EXTENDED_INFORMATION) +
gss_mech_krb5_new->length - 2);
if (Information == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
Information->Class = SecpkgGssInfo;
Information->Info.GssInfo.EncodedIdLength = gss_mech_krb5_new->length + 2;
Information->Info.GssInfo.EncodedId[0] = 0x6; // BER OID type
Information->Info.GssInfo.EncodedId[1] = (UCHAR) gss_mech_krb5_new->length;
RtlCopyMemory(
&Information->Info.GssInfo.EncodedId[2],
gss_mech_krb5_new->elements,
gss_mech_krb5_new->length
);
*ppInformation = Information;
Information = NULL;
break;
case SecpkgContextThunks:
//
// Note - we don't need to add any space for the thunks as there
// is only one, and the structure has space for one. If any more
// thunks are added, we will need to add space for those.
//
Information = (PSECPKG_EXTENDED_INFORMATION)
KerbAllocate(sizeof(SECPKG_EXTENDED_INFORMATION));
if (Information == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
Information->Class = SecpkgContextThunks;
Information->Info.ContextThunks.InfoLevelCount = 1;
Information->Info.ContextThunks.Levels[0] = SECPKG_ATTR_NATIVE_NAMES;
*ppInformation = Information;
Information = NULL;
break;
case SecpkgWowClientDll:
//
// This indicates that we're smart enough to handle wow client processes
//
Information = (PSECPKG_EXTENDED_INFORMATION)
KerbAllocate( sizeof( SECPKG_EXTENDED_INFORMATION ) +
(MAX_PATH * sizeof(WCHAR) ) );
if ( Information == NULL )
{
Status = STATUS_INSUFFICIENT_RESOURCES ;
goto Cleanup ;
}
Information->Class = SecpkgWowClientDll ;
Information->Info.WowClientDll.WowClientDllPath.Buffer = (PWSTR) (Information + 1);
Size = ExpandEnvironmentStrings(
L"%SystemRoot%\\" WOW64_SYSTEM_DIRECTORY_U L"\\Kerberos.DLL",
Information->Info.WowClientDll.WowClientDllPath.Buffer,
MAX_PATH );
Information->Info.WowClientDll.WowClientDllPath.Length = (USHORT) (Size * sizeof(WCHAR));
Information->Info.WowClientDll.WowClientDllPath.MaximumLength = (USHORT) ((Size + 1) * sizeof(WCHAR) );
*ppInformation = Information ;
Information = NULL ;
break;
case SecpkgExtraOids:
Size = sizeof( SECPKG_EXTENDED_INFORMATION ) +
2 * sizeof( SECPKG_SERIALIZED_OID ) ;
Information = (PSECPKG_EXTENDED_INFORMATION)
KerbAllocate( Size );
if ( Information == NULL )
{
Status = STATUS_INSUFFICIENT_RESOURCES ;
goto Cleanup ;
}
Information->Class = SecpkgExtraOids ;
Information->Info.ExtraOids.OidCount = 2 ;
SerializedOid = Information->Info.ExtraOids.Oids;
SerializedOid->OidLength = gss_mech_krb5_spnego->length + 2;
SerializedOid->OidAttributes = SECPKG_CRED_BOTH ;
SerializedOid->OidValue[ 0 ] = 0x06 ; // BER OID type
SerializedOid->OidValue[ 1 ] = (UCHAR) gss_mech_krb5_spnego->length;
RtlCopyMemory(
&SerializedOid->OidValue[2],
gss_mech_krb5_spnego->elements,
gss_mech_krb5_spnego->length
);
SerializedOid++ ;
SerializedOid->OidLength = gss_mech_krb5_u2u->length + 2;
SerializedOid->OidAttributes = SECPKG_CRED_INBOUND ;
SerializedOid->OidValue[ 0 ] = 0x06 ; // BER OID type
SerializedOid->OidValue[ 1 ] = (UCHAR) gss_mech_krb5_u2u->length;
RtlCopyMemory(
&SerializedOid->OidValue[2],
gss_mech_krb5_u2u->elements,
gss_mech_krb5_u2u->length
);
*ppInformation = Information ;
Information = NULL ;
break;
default:
return(STATUS_INVALID_INFO_CLASS);
}
Cleanup:
if (Information != NULL)
{
KerbFree(Information);
}
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: LsaApInitializePackage
//
// Synopsis: Obsolete pacakge initialize function, supported for
// compatibility only. This function has no effect.
//
// Effects: none
//
// Arguments:
//
// Requires:
//
// Returns: STATUS_SUCCESS always
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
LsaApInitializePackage(
IN ULONG AuthenticationPackageId,
IN PLSA_DISPATCH_TABLE LsaDispatchTable,
IN PLSA_STRING Database OPTIONAL,
IN PLSA_STRING Confidentiality OPTIONAL,
OUT PLSA_STRING *AuthenticationPackageName
)
{
return(STATUS_SUCCESS);
}
BOOLEAN
KerbIsInitialized(
VOID
)
{
return KerbGlobalInitialized;
}
NTSTATUS
KerbKdcCallBack(
VOID
)
{
PKERB_BINDING_CACHE_ENTRY CacheEntry = NULL;
NTSTATUS Status = STATUS_SUCCESS;
KerbGlobalWriteLock();
KerbGlobalRole = KerbRoleDomainController;
Status = KerbLoadKdc();
//
// Purge the binding cache of entries for this domain
//
CacheEntry = KerbLocateBindingCacheEntry(
&KerbGlobalDnsDomainName,
0,
TRUE
);
if (CacheEntry != NULL)
{
KerbDereferenceBindingCacheEntry(CacheEntry);
}
CacheEntry = KerbLocateBindingCacheEntry(
&KerbGlobalDomainName,
0,
TRUE
);
if (CacheEntry != NULL)
{
KerbDereferenceBindingCacheEntry(CacheEntry);
}
//
// PurgeSpnCache, because we may now have "better" state,
// e.g. right after DCPromo our SPNs may not have replicated.
//
KerbCleanupSpnCache();
KerbGlobalReleaseLock();
return Status;
}
#endif // WIN32_CHICAGO