mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6874 lines
182 KiB
6874 lines
182 KiB
//+-----------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (c) Microsoft Corporation 1992 - 1996
|
|
//
|
|
// File: kerbtick.cxx
|
|
//
|
|
// Contents: Routines for obtaining and manipulating tickets
|
|
//
|
|
//
|
|
// History: 23-April-1996 Created MikeSw
|
|
// 26-Sep-1998 ChandanS
|
|
// Added more debugging support etc.
|
|
// 15-Oct-1999 ChandanS
|
|
// Send more choice of encryption types.
|
|
//
|
|
//------------------------------------------------------------------------
|
|
|
|
#include <kerb.hxx>
|
|
#include <kerbp.h>
|
|
#include <userapi.h> // for GSS support routines
|
|
#include <kerbpass.h>
|
|
#include <krbaudit.h>
|
|
|
|
extern "C"
|
|
{
|
|
#include <stdlib.h> // abs()
|
|
}
|
|
|
|
#include <utils.hxx>
|
|
|
|
#ifdef RETAIL_LOG_SUPPORT
|
|
static TCHAR THIS_FILE[]=TEXT(__FILE__);
|
|
#endif
|
|
#define FILENO FILENO_KERBTICK
|
|
|
|
|
|
#ifndef WIN32_CHICAGO // We don't do server side stuff
|
|
#include <authen.hxx>
|
|
|
|
CAuthenticatorList * Authenticators;
|
|
#endif // WIN32_CHICAGO // We don't do server side stuff
|
|
|
|
#include <lsaitf.h>
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbGetTgtForService
|
|
//
|
|
// Synopsis: Gets a TGT for the domain of the specified service. If a
|
|
// cached one is available, it uses that one. Otherwise it
|
|
// calls the KDC to acquire it.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: LogonSession - Logon session for which to acquire a ticket
|
|
// Credentials - If present & contains supp. creds, use them
|
|
// for the ticket cache
|
|
// SuppRealm - This is a supplied realm for which to acquire
|
|
// a TGT, this may or may not be the same as the
|
|
// TargetDomain.
|
|
// TargetDomain - Realm of service for which to acquire a TGT
|
|
// NewCacheEntry - Receives a referenced ticket cache entry for
|
|
// TGT
|
|
// CrossRealm - TRUE if target is known to be in a different realm
|
|
//
|
|
// Requires: The primary credentials be locked
|
|
//
|
|
// Returns: Kerberos errors, NT status codes.
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbGetTgtForService(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN OPTIONAL PUNICODE_STRING SuppRealm,
|
|
IN PUNICODE_STRING TargetDomain,
|
|
IN ULONG TargetFlags,
|
|
OUT PKERB_TICKET_CACHE_ENTRY * NewCacheEntry,
|
|
OUT PBOOLEAN CrossRealm
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PKERB_TICKET_CACHE_ENTRY CacheEntry;
|
|
BOOLEAN DoRetry = TRUE;
|
|
PKERB_PRIMARY_CREDENTIAL PrimaryCredentials;
|
|
|
|
*CrossRealm = FALSE;
|
|
*NewCacheEntry = NULL;
|
|
|
|
|
|
if (ARGUMENT_PRESENT(Credential) && (Credential->SuppliedCredentials != NULL))
|
|
{
|
|
PrimaryCredentials = Credential->SuppliedCredentials;
|
|
}
|
|
else if (ARGUMENT_PRESENT(CredManCredentials))
|
|
{
|
|
PrimaryCredentials = CredManCredentials->SuppliedCredentials;
|
|
}
|
|
else
|
|
{
|
|
PrimaryCredentials = &LogonSession->PrimaryCredentials;
|
|
}
|
|
|
|
|
|
|
|
if (TargetDomain->Length != 0)
|
|
{
|
|
CacheEntry = KerbLocateTicketCacheEntryByRealm(
|
|
&PrimaryCredentials->AuthenticationTicketCache,
|
|
TargetDomain,
|
|
0
|
|
);
|
|
|
|
if (CacheEntry != NULL)
|
|
{
|
|
*NewCacheEntry = CacheEntry;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Well, we didn't find one to the other domain. Return a TGT for our
|
|
// domain.
|
|
//
|
|
|
|
Retry:
|
|
|
|
CacheEntry = KerbLocateTicketCacheEntryByRealm(
|
|
&PrimaryCredentials->AuthenticationTicketCache,
|
|
SuppRealm,
|
|
KERB_TICKET_CACHE_PRIMARY_TGT
|
|
);
|
|
|
|
|
|
if (CacheEntry != NULL)
|
|
{
|
|
|
|
//
|
|
// The first pass, make sure the ticket has a little bit of life.
|
|
// The second pass, we don't ask for as much
|
|
//
|
|
|
|
if (!KerbTicketIsExpiring(CacheEntry, DoRetry))
|
|
{
|
|
Status = STATUS_SUCCESS;
|
|
*NewCacheEntry = CacheEntry;
|
|
|
|
//
|
|
// If the TGT is not for the domain of the service,
|
|
// this is cross realm. If we used the SPN cache, we're
|
|
// obviously missing a ticket, and we need to restart the
|
|
// referral process.
|
|
//
|
|
//
|
|
|
|
if ((TargetDomain->Length != 0) &&
|
|
(TargetFlags & KERB_TARGET_USED_SPN_CACHE) == 0)
|
|
{
|
|
*CrossRealm = TRUE;
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Try to obtain a new TGT
|
|
//
|
|
|
|
if (DoRetry)
|
|
{
|
|
//
|
|
// Unlock the logon session so we can try to get a new TGT
|
|
//
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
|
|
Status = KerbRefreshPrimaryTgt(
|
|
LogonSession,
|
|
Credential,
|
|
CredManCredentials,
|
|
SuppRealm,
|
|
CacheEntry
|
|
);
|
|
|
|
if (CacheEntry != NULL)
|
|
{
|
|
// pull the old TGT from the list, as its been replaced
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
KerbRemoveTicketCacheEntry(CacheEntry);
|
|
}
|
|
|
|
KerbDereferenceTicketCacheEntry(CacheEntry);
|
|
CacheEntry = NULL;
|
|
}
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to refresh primary TGT: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__ ));
|
|
goto Cleanup;
|
|
}
|
|
DoRetry = FALSE;
|
|
goto Retry;
|
|
}
|
|
|
|
Status = STATUS_OBJECT_NAME_NOT_FOUND;
|
|
|
|
Cleanup:
|
|
if (!NT_SUCCESS(Status) && (CacheEntry != NULL))
|
|
{
|
|
KerbDereferenceTicketCacheEntry(CacheEntry);
|
|
*NewCacheEntry = NULL;
|
|
}
|
|
|
|
return(Status);
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildKerbCred
|
|
//
|
|
// Synopsis: Builds a marshalled KERB_CRED structure
|
|
//
|
|
// Effects: allocates destination with MIDL_user_allocate
|
|
//
|
|
// Arguments: Ticket - The ticket of the session key to seal the
|
|
// encrypted portion (OPTIONAL)
|
|
// DelegationTicket - The ticket to marshall into the cred message
|
|
// MarshalledKerbCred - Receives a marshalled KERB_CRED structure
|
|
// KerbCredSizes - Receives size, in bytes, of marshalled
|
|
// KERB_CRED.
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbBuildKerbCred(
|
|
IN OPTIONAL PKERB_TICKET_CACHE_ENTRY Ticket,
|
|
IN PKERB_TICKET_CACHE_ENTRY DelegationTicket,
|
|
OUT PUCHAR * MarshalledKerbCred,
|
|
OUT PULONG KerbCredSize
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERBERR KerbErr;
|
|
KERB_CRED KerbCred;
|
|
KERB_CRED_INFO_LIST CredInfo;
|
|
KERB_ENCRYPTED_CRED EncryptedCred;
|
|
KERB_CRED_TICKET_LIST TicketList;
|
|
PUCHAR MarshalledEncryptPart = NULL;
|
|
ULONG MarshalledEncryptSize;
|
|
ULONG ConvertedFlags;
|
|
|
|
//
|
|
// Initialize the structures so they can be freed later.
|
|
//
|
|
|
|
*MarshalledKerbCred = NULL;
|
|
*KerbCredSize = 0;
|
|
|
|
RtlZeroMemory(
|
|
&KerbCred,
|
|
sizeof(KERB_CRED)
|
|
);
|
|
|
|
RtlZeroMemory(
|
|
&EncryptedCred,
|
|
sizeof(KERB_ENCRYPTED_CRED)
|
|
);
|
|
RtlZeroMemory(
|
|
&CredInfo,
|
|
sizeof(KERB_CRED_INFO_LIST)
|
|
);
|
|
RtlZeroMemory(
|
|
&TicketList,
|
|
sizeof(KERB_CRED_TICKET_LIST)
|
|
);
|
|
|
|
KerbCred.version = KERBEROS_VERSION;
|
|
KerbCred.message_type = KRB_CRED;
|
|
|
|
//
|
|
// First stick the ticket into the ticket list.
|
|
//
|
|
|
|
KerbReadLockTicketCache();
|
|
|
|
TicketList.next= NULL;
|
|
TicketList.value = DelegationTicket->Ticket;
|
|
KerbCred.tickets = &TicketList;
|
|
|
|
//
|
|
// Now build the KERB_CRED_INFO for this ticket
|
|
//
|
|
|
|
CredInfo.value.key = DelegationTicket->SessionKey;
|
|
KerbConvertLargeIntToGeneralizedTime(
|
|
&CredInfo.value.endtime,
|
|
NULL,
|
|
&DelegationTicket->EndTime
|
|
);
|
|
CredInfo.value.bit_mask |= endtime_present;
|
|
|
|
KerbConvertLargeIntToGeneralizedTime(
|
|
&CredInfo.value.starttime,
|
|
NULL,
|
|
&DelegationTicket->StartTime
|
|
);
|
|
CredInfo.value.bit_mask |= KERB_CRED_INFO_starttime_present;
|
|
|
|
KerbConvertLargeIntToGeneralizedTime(
|
|
&CredInfo.value.KERB_CRED_INFO_renew_until,
|
|
NULL,
|
|
&DelegationTicket->RenewUntil
|
|
);
|
|
CredInfo.value.bit_mask |= KERB_CRED_INFO_renew_until_present;
|
|
|
|
ConvertedFlags = KerbConvertUlongToFlagUlong(DelegationTicket->TicketFlags);
|
|
CredInfo.value.flags.value = (PUCHAR) &ConvertedFlags;
|
|
CredInfo.value.flags.length = 8 * sizeof(ULONG);
|
|
CredInfo.value.bit_mask |= flags_present;
|
|
|
|
//
|
|
// The following fields are marked as optional but treated
|
|
// as mandatory by the MIT implementation of Kerberos and
|
|
// therefore we provide them.
|
|
//
|
|
|
|
KerbErr = KerbConvertKdcNameToPrincipalName(
|
|
&CredInfo.value.principal_name,
|
|
DelegationTicket->ClientName
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
CredInfo.value.bit_mask |= principal_name_present;
|
|
|
|
KerbErr = KerbConvertKdcNameToPrincipalName(
|
|
&CredInfo.value.service_name,
|
|
DelegationTicket->ServiceName
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
CredInfo.value.bit_mask |= service_name_present;
|
|
|
|
//
|
|
// We are assuming that because we are sending a TGT the
|
|
// client realm is the same as the serve realm. If we ever
|
|
// send non-tgt or cross-realm tgt, this needs to be fixed.
|
|
//
|
|
|
|
KerbErr = KerbConvertUnicodeStringToRealm(
|
|
&CredInfo.value.principal_realm,
|
|
&DelegationTicket->ClientDomainName
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
//
|
|
// The realms are the same, so don't allocate both
|
|
//
|
|
|
|
CredInfo.value.service_realm = CredInfo.value.principal_realm;
|
|
CredInfo.value.bit_mask |= principal_realm_present | service_realm_present;
|
|
|
|
EncryptedCred.ticket_info = &CredInfo;
|
|
|
|
|
|
//
|
|
// Now encrypted the encrypted cred into the cred
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbPackEncryptedCred(
|
|
&EncryptedCred,
|
|
&MarshalledEncryptSize,
|
|
&MarshalledEncryptPart
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If we are doing DES encryption, then we are talking with an non-NT
|
|
// server. Hence, don't encrypt the kerb-cred.
|
|
//
|
|
// Additionally, if service ticket == NULL, don't encrypt kerb cred
|
|
//
|
|
|
|
if (!ARGUMENT_PRESENT(Ticket))
|
|
{
|
|
KerbCred.encrypted_part.cipher_text.length = MarshalledEncryptSize;
|
|
KerbCred.encrypted_part.cipher_text.value = MarshalledEncryptPart;
|
|
KerbCred.encrypted_part.encryption_type = 0;
|
|
MarshalledEncryptPart = NULL;
|
|
}
|
|
else if( KERB_IS_DES_ENCRYPTION(Ticket->SessionKey.keytype))
|
|
{
|
|
KerbCred.encrypted_part.cipher_text.length = MarshalledEncryptSize;
|
|
KerbCred.encrypted_part.cipher_text.value = MarshalledEncryptPart;
|
|
KerbCred.encrypted_part.encryption_type = 0;
|
|
MarshalledEncryptPart = NULL;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Now get the encryption overhead
|
|
//
|
|
|
|
KerbErr = KerbAllocateEncryptionBufferWrapper(
|
|
Ticket->SessionKey.keytype,
|
|
MarshalledEncryptSize,
|
|
&KerbCred.encrypted_part.cipher_text.length,
|
|
&KerbCred.encrypted_part.cipher_text.value
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
|
|
//
|
|
// Encrypt the data.
|
|
//
|
|
|
|
KerbErr = KerbEncryptDataEx(
|
|
&KerbCred.encrypted_part,
|
|
MarshalledEncryptSize,
|
|
MarshalledEncryptPart,
|
|
Ticket->SessionKey.keytype,
|
|
KERB_CRED_SALT,
|
|
&Ticket->SessionKey
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Now we have to marshall the whole KERB_CRED
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbPackKerbCred(
|
|
&KerbCred,
|
|
KerbCredSize,
|
|
MarshalledKerbCred
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Cleanup:
|
|
KerbUnlockTicketCache();
|
|
|
|
KerbFreePrincipalName(&CredInfo.value.service_name);
|
|
|
|
KerbFreePrincipalName(&CredInfo.value.principal_name);
|
|
|
|
KerbFreeRealm(&CredInfo.value.principal_realm);
|
|
|
|
if (MarshalledEncryptPart != NULL)
|
|
{
|
|
MIDL_user_free(MarshalledEncryptPart);
|
|
}
|
|
if (KerbCred.encrypted_part.cipher_text.value != NULL)
|
|
{
|
|
MIDL_user_free(KerbCred.encrypted_part.cipher_text.value);
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbGetDelegationTgt
|
|
//
|
|
// Synopsis: Gets a TGT to delegate to another service. This TGT
|
|
// is marked as forwarded and does not include any
|
|
// client addresses
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires: Logon sesion must be read-locked
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes: This gets a delegation TGT & caches it under the realm name
|
|
// "$$Delegation Ticket$$". When we look for it again later,
|
|
// it should be discoverable under the same name.
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
KerbGetDelegationTgt(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_PRIMARY_CREDENTIAL Credentials,
|
|
IN LONG EncryptionType,
|
|
OUT PKERB_TICKET_CACHE_ENTRY * DelegationTgt
|
|
)
|
|
{
|
|
PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket = NULL;
|
|
PKERB_INTERNAL_NAME TgsName = NULL;
|
|
UNICODE_STRING TgsRealm = {0};
|
|
PKERB_KDC_REPLY KdcReply = NULL;
|
|
PKERB_ENCRYPTED_KDC_REPLY KdcReplyBody = NULL;
|
|
BOOLEAN LogonSessionLocked = TRUE;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
UNICODE_STRING CacheName;
|
|
BOOLEAN CacheTicket = TRUE;
|
|
ULONG RetryFlags = 0;
|
|
|
|
RtlInitUnicodeString(
|
|
&CacheName,
|
|
L"$$Delegation Ticket$$"
|
|
);
|
|
|
|
|
|
*DelegationTgt = KerbLocateTicketCacheEntryByRealm(
|
|
&Credentials->AuthenticationTicketCache,
|
|
&CacheName,
|
|
KERB_TICKET_CACHE_DELEGATION_TGT
|
|
);
|
|
if (*DelegationTgt != NULL )
|
|
{
|
|
KerbReadLockTicketCache();
|
|
if (EncryptionType != (*DelegationTgt)->Ticket.encrypted_part.encryption_type)
|
|
{
|
|
KerbUnlockTicketCache();
|
|
KerbDereferenceTicketCacheEntry(*DelegationTgt);
|
|
*DelegationTgt = NULL;
|
|
CacheTicket = FALSE;
|
|
}
|
|
else
|
|
{
|
|
KerbUnlockTicketCache();
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
TicketGrantingTicket = KerbLocateTicketCacheEntryByRealm(
|
|
&Credentials->AuthenticationTicketCache,
|
|
&Credentials->DomainName, // take the logon TGT
|
|
0
|
|
);
|
|
|
|
|
|
if ((TicketGrantingTicket == NULL) ||
|
|
((TicketGrantingTicket->TicketFlags & KERB_TICKET_FLAGS_forwardable) == 0) )
|
|
{
|
|
DebugLog((DEB_WARN,"Trying to delegate but no forwardable TGT\n"));
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Get the TGT service name from the TGT
|
|
//
|
|
|
|
KerbReadLockTicketCache();
|
|
|
|
Status = KerbDuplicateKdcName(
|
|
&TgsName,
|
|
TicketGrantingTicket->ServiceName
|
|
);
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = KerbDuplicateString(
|
|
&TgsRealm,
|
|
&TicketGrantingTicket->DomainName
|
|
);
|
|
}
|
|
KerbUnlockTicketCache();
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionLocked = FALSE;
|
|
|
|
//
|
|
// Now try to get the ticket.
|
|
//
|
|
|
|
|
|
Status = KerbGetTgsTicket(
|
|
&TgsRealm,
|
|
TicketGrantingTicket,
|
|
TgsName,
|
|
TRUE, // no name canonicalization, no GC lookups.
|
|
KERB_KDC_OPTIONS_forwarded | KERB_DEFAULT_TICKET_FLAGS,
|
|
EncryptionType, // no encryption type
|
|
NULL, // no authorization data
|
|
NULL, // no pa data
|
|
NULL, // no tgt reply
|
|
&KdcReply,
|
|
&KdcReplyBody,
|
|
&RetryFlags
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionLocked = TRUE;
|
|
|
|
Status = KerbCacheTicket(
|
|
&Credentials->AuthenticationTicketCache,
|
|
KdcReply,
|
|
KdcReplyBody,
|
|
NULL, // no target name
|
|
&CacheName,
|
|
KERB_TICKET_CACHE_DELEGATION_TGT,
|
|
CacheTicket, // Cache the ticket
|
|
DelegationTgt
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
Cleanup:
|
|
KerbFreeTgsReply (KdcReply);
|
|
KerbFreeKdcReplyBody (KdcReplyBody);
|
|
|
|
if (TicketGrantingTicket != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(TicketGrantingTicket);
|
|
}
|
|
KerbFreeKdcName(&TgsName);
|
|
KerbFreeString(&TgsRealm);
|
|
|
|
if (!LogonSessionLocked)
|
|
{
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
}
|
|
|
|
return(Status);
|
|
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildGssChecskum
|
|
//
|
|
// Synopsis: Builds the GSS checksum to go in an AP request
|
|
//
|
|
// Effects: Allocates a checksum with KerbAllocate
|
|
//
|
|
// Arguments: ContextFlags - Requested context flags
|
|
// LogonSession - LogonSession to be used for delegation
|
|
// GssChecksum - Receives the new checksum
|
|
// ApOptions - Receives the requested AP options
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes: The logon session is locked when this is called.
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbBuildGssChecksum(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_PRIMARY_CREDENTIAL PrimaryCredentials,
|
|
IN PKERB_TICKET_CACHE_ENTRY Ticket,
|
|
IN OUT PULONG ContextFlags,
|
|
OUT PKERB_CHECKSUM GssChecksum,
|
|
OUT PULONG ApOptions,
|
|
IN PSEC_CHANNEL_BINDINGS pChannelBindings
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PKERB_GSS_CHECKSUM ChecksumBody = NULL;
|
|
PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket = NULL;
|
|
ULONG ChecksumSize = GSS_CHECKSUM_SIZE;
|
|
ULONG KerbCredSize = 0 ;
|
|
PUCHAR KerbCred = NULL;
|
|
BOOLEAN OkAsDelegate = FALSE, OkToTrustMitKdc = FALSE;
|
|
LONG EncryptionType = 0;
|
|
PKERB_MIT_REALM MitRealm = NULL;
|
|
BOOLEAN UsedAlternateName;
|
|
ULONG BindHash[4];
|
|
|
|
*ApOptions = 0;
|
|
|
|
//
|
|
// If we are doing delegation, built a KERB_CRED message to return
|
|
//
|
|
|
|
if (*ContextFlags & (ISC_RET_DELEGATE | ISC_RET_DELEGATE_IF_SAFE))
|
|
{
|
|
KerbReadLockTicketCache();
|
|
OkAsDelegate = ((Ticket->TicketFlags & KERB_TICKET_FLAGS_ok_as_delegate) != 0) ? TRUE : FALSE;
|
|
EncryptionType = Ticket->Ticket.encrypted_part.encryption_type;
|
|
if (KerbLookupMitRealm(
|
|
&Ticket->DomainName,
|
|
&MitRealm,
|
|
&UsedAlternateName))
|
|
{
|
|
if ((MitRealm->Flags & KERB_MIT_REALM_TRUSTED_FOR_DELEGATION) != 0)
|
|
{
|
|
OkToTrustMitKdc = TRUE;
|
|
}
|
|
}
|
|
KerbUnlockTicketCache();
|
|
|
|
if (OkAsDelegate || OkToTrustMitKdc)
|
|
{
|
|
D_DebugLog((DEB_TRACE,"Asked for delegate if safe, and getting delegation TGT\n"));
|
|
|
|
//
|
|
// Check to see if we have a TGT
|
|
//
|
|
|
|
Status = KerbGetDelegationTgt(
|
|
LogonSession,
|
|
PrimaryCredentials,
|
|
EncryptionType,
|
|
&TicketGrantingTicket
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Turn off the delegate flag for building the token.
|
|
//
|
|
|
|
*ContextFlags &= ~ISC_RET_DELEGATE;
|
|
*ContextFlags &= ~ISC_RET_DELEGATE_IF_SAFE;
|
|
DebugLog((DEB_WARN,"Failed to get delegation TGT: 0x%x\n",Status));
|
|
Status = STATUS_SUCCESS;
|
|
}
|
|
else
|
|
{
|
|
|
|
|
|
//
|
|
// Build the KERB_CRED message
|
|
//
|
|
|
|
Status = KerbBuildKerbCred(
|
|
Ticket,
|
|
TicketGrantingTicket,
|
|
&KerbCred,
|
|
&KerbCredSize
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to build KERB_CRED: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
//ChecksumSize= sizeof(KERB_GSS_CHECKSUM) - ANYSIZE_ARRAY * sizeof(UCHAR) + KerbCredSize;
|
|
ChecksumSize = GSS_DELEGATE_CHECKSUM_SIZE + KerbCredSize;
|
|
|
|
//
|
|
// And if only the DELEGATE_IF_SAFE flag was on, turn on the
|
|
// real delegate flag:
|
|
//
|
|
*ContextFlags |= ISC_RET_DELEGATE ;
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
|
|
//
|
|
// Turn off the delegate flag for building the token.
|
|
//
|
|
|
|
*ContextFlags &= ~ISC_RET_DELEGATE;
|
|
*ContextFlags &= ~ISC_RET_DELEGATE_IF_SAFE;
|
|
}
|
|
|
|
|
|
}
|
|
|
|
ChecksumBody = (PKERB_GSS_CHECKSUM) KerbAllocate(ChecksumSize);
|
|
if (ChecksumBody == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Convert the requested flags to AP options.
|
|
//
|
|
|
|
|
|
if ((*ContextFlags & ISC_RET_MUTUAL_AUTH) != 0)
|
|
{
|
|
*ApOptions |= KERB_AP_OPTIONS_mutual_required;
|
|
ChecksumBody->GssFlags |= GSS_C_MUTUAL_FLAG;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_USE_SESSION_KEY) != 0)
|
|
{
|
|
*ApOptions |= KERB_AP_OPTIONS_use_session_key;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_USED_DCE_STYLE) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_DCE_STYLE;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_SEQUENCE_DETECT) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_SEQUENCE_FLAG;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_REPLAY_DETECT) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_REPLAY_FLAG;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_CONFIDENTIALITY) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_CONF_FLAG;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_INTEGRITY) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_INTEG_FLAG;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_IDENTIFY) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_IDENTIFY_FLAG;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_EXTENDED_ERROR) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_EXTENDED_ERROR_FLAG;
|
|
}
|
|
|
|
if ((*ContextFlags & ISC_RET_DELEGATE) != 0)
|
|
{
|
|
ChecksumBody->GssFlags |= GSS_C_DELEG_FLAG;
|
|
ChecksumBody->Delegation = 1;
|
|
ChecksumBody->DelegationLength = (USHORT) KerbCredSize;
|
|
RtlCopyMemory(
|
|
ChecksumBody->DelegationInfo,
|
|
KerbCred,
|
|
KerbCredSize
|
|
);
|
|
}
|
|
|
|
ChecksumBody->BindLength = 0x10;
|
|
|
|
//
|
|
// (viz. Windows Bugs 94818)
|
|
// If channel bindings are absent, BindHash should be {0,0,0,0}
|
|
//
|
|
if( pChannelBindings == NULL )
|
|
{
|
|
RtlZeroMemory( ChecksumBody->BindHash, ChecksumBody->BindLength );
|
|
}
|
|
else
|
|
{
|
|
Status = KerbComputeGssBindHash( pChannelBindings, (PUCHAR)BindHash );
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
RtlCopyMemory( ChecksumBody->BindHash, BindHash, ChecksumBody->BindLength );
|
|
}
|
|
|
|
GssChecksum->checksum_type = GSS_CHECKSUM_TYPE;
|
|
GssChecksum->checksum.length = ChecksumSize;
|
|
GssChecksum->checksum.value = (PUCHAR) ChecksumBody;
|
|
ChecksumBody = NULL;
|
|
|
|
Cleanup:
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
if (ChecksumBody != NULL)
|
|
{
|
|
KerbFree(ChecksumBody);
|
|
}
|
|
}
|
|
if (TicketGrantingTicket != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(TicketGrantingTicket);
|
|
}
|
|
|
|
if (KerbCred != NULL)
|
|
{
|
|
MIDL_user_free(KerbCred);
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildApRequest
|
|
//
|
|
// Synopsis: Builds an AP request message from a logon session and a
|
|
// ticket cache entry.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: LogonSession - Logon session used to build this AP request
|
|
// Credential - Optional credential for use with supplemental credentials
|
|
// TicketCacheEntry - Ticket with which to build the AP request
|
|
// ErrorMessage - Optionally contains error message from last AP request
|
|
// ContextFlags - Flags passed in by client indicating
|
|
// authentication requirements. If the flags can't
|
|
// be supported they will be turned off.
|
|
// MarshalledApReqest - Receives a marshalled AP request allocated
|
|
// with KerbAllocate
|
|
// ApRequestSize - Length of the AP reques structure in bytes
|
|
// Nonce - Nonce used for this request. if non-zero, then the
|
|
// nonce supplied by the caller will be used.
|
|
// SubSessionKey - if generated, returns a sub-session key in AP request
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
KerbBuildApRequest(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN OPTIONAL PKERB_CREDENTIAL Credential,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN PKERB_TICKET_CACHE_ENTRY TicketCacheEntry,
|
|
IN OPTIONAL PKERB_ERROR ErrorMessage,
|
|
IN ULONG ContextAttributes,
|
|
IN OUT PULONG ContextFlags,
|
|
OUT PUCHAR * MarshalledApRequest,
|
|
OUT PULONG ApRequestSize,
|
|
OUT PULONG Nonce,
|
|
IN OUT PKERB_ENCRYPTION_KEY SubSessionKey,
|
|
IN PSEC_CHANNEL_BINDINGS pChannelBindings
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
ULONG ApOptions = 0;
|
|
KERBERR KerbErr;
|
|
KERB_CHECKSUM GssChecksum = {0};
|
|
PKERB_PRIMARY_CREDENTIAL PrimaryCredentials = NULL;
|
|
TimeStamp ServerTime;
|
|
ULONG RequestSize;
|
|
PUCHAR RequestWithHeader = NULL;
|
|
PUCHAR RequestStart;
|
|
gss_OID MechId;
|
|
BOOLEAN LogonSessionLocked = FALSE;
|
|
BOOLEAN StrongEncryptionPermitted = KerbGlobalStrongEncryptionPermitted;
|
|
|
|
|
|
|
|
*ApRequestSize = 0;
|
|
*MarshalledApRequest = NULL;
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
{
|
|
SECPKG_CALL_INFO CallInfo;
|
|
|
|
if (!StrongEncryptionPermitted && LsaFunctions->GetCallInfo(&CallInfo))
|
|
{
|
|
if (CallInfo.Attributes & SECPKG_CALL_IN_PROC )
|
|
{
|
|
StrongEncryptionPermitted = TRUE;
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// If we have an error message, use it to compute a skew time to adjust
|
|
// local time by
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT(ErrorMessage))
|
|
{
|
|
TimeStamp CurrentTime;
|
|
GetSystemTimeAsFileTime((PFILETIME) &CurrentTime);
|
|
|
|
KerbWriteLockTicketCache();
|
|
|
|
//
|
|
// Update the skew cache the first time we fail to a server
|
|
//
|
|
|
|
if ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_SKEW)
|
|
{
|
|
if (KerbGetTime(TicketCacheEntry->TimeSkew) == 0)
|
|
{
|
|
KerbUpdateSkewTime(TRUE);
|
|
}
|
|
}
|
|
KerbConvertGeneralizedTimeToLargeInt(
|
|
&ServerTime,
|
|
&ErrorMessage->server_time,
|
|
ErrorMessage->server_usec
|
|
);
|
|
KerbSetTime(&TicketCacheEntry->TimeSkew, KerbGetTime(ServerTime) - KerbGetTime(CurrentTime));
|
|
KerbUnlockTicketCache();
|
|
}
|
|
|
|
//
|
|
// Allocate a nonce if we don't have one already.
|
|
//
|
|
|
|
if (*Nonce == 0)
|
|
{
|
|
*Nonce = KerbAllocateNonce();
|
|
}
|
|
|
|
D_DebugLog((DEB_TRACE,"BuildApRequest using nonce 0x%x\n",*Nonce));
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionLocked = TRUE;
|
|
|
|
if (ARGUMENT_PRESENT(Credential))
|
|
{
|
|
if (Credential->SuppliedCredentials != NULL)
|
|
{
|
|
PrimaryCredentials = Credential->SuppliedCredentials;
|
|
}
|
|
}
|
|
|
|
// use cred manager creds if present
|
|
if (ARGUMENT_PRESENT(CredManCredentials))
|
|
{
|
|
PrimaryCredentials = CredManCredentials->SuppliedCredentials;
|
|
}
|
|
|
|
if (PrimaryCredentials == NULL)
|
|
{
|
|
PrimaryCredentials = &LogonSession->PrimaryCredentials;
|
|
}
|
|
|
|
//
|
|
// get the GSS checksum
|
|
//
|
|
|
|
Status = KerbBuildGssChecksum(
|
|
LogonSession,
|
|
PrimaryCredentials,
|
|
TicketCacheEntry,
|
|
ContextFlags,
|
|
&GssChecksum,
|
|
&ApOptions,
|
|
pChannelBindings
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to build GSS checksum: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If are an export client, create a subsession key. For datagram,
|
|
// the caller passes in a pre-generated session key.
|
|
//
|
|
|
|
//
|
|
// For datagram, they subsession key has already been set so we don't need
|
|
// to create one here.
|
|
//
|
|
|
|
if ((((*ContextFlags & ISC_RET_DATAGRAM) == 0)) ||
|
|
(((*ContextFlags & (ISC_RET_USED_DCE_STYLE | ISC_RET_MUTUAL_AUTH)) == 0) && !KerbGlobalUseStrongEncryptionForDatagram))
|
|
{
|
|
KERBERR KerbErr;
|
|
|
|
//
|
|
// First free the Subsession key, if there was one.
|
|
//
|
|
|
|
|
|
KerbFreeKey(SubSessionKey);
|
|
|
|
if (!StrongEncryptionPermitted)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT,"Making exportable key on client\n"));
|
|
|
|
//
|
|
// First free the Subsession key, if there was one.
|
|
//
|
|
|
|
|
|
KerbErr = KerbMakeExportableKey(
|
|
TicketCacheEntry->SessionKey.keytype,
|
|
SubSessionKey
|
|
);
|
|
}
|
|
else
|
|
{
|
|
|
|
KerbErr = KerbMakeKey(
|
|
TicketCacheEntry->SessionKey.keytype,
|
|
SubSessionKey
|
|
);
|
|
}
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Create the AP request
|
|
//
|
|
|
|
|
|
KerbReadLockTicketCache();
|
|
|
|
KerbErr = KerbCreateApRequest(
|
|
TicketCacheEntry->ClientName,
|
|
&TicketCacheEntry->ClientDomainName,
|
|
&TicketCacheEntry->SessionKey,
|
|
(SubSessionKey->keyvalue.value != NULL) ? SubSessionKey : NULL,
|
|
*Nonce,
|
|
&TicketCacheEntry->Ticket,
|
|
ApOptions,
|
|
&GssChecksum,
|
|
&TicketCacheEntry->TimeSkew,
|
|
FALSE, // not a KDC request
|
|
ApRequestSize,
|
|
MarshalledApRequest
|
|
);
|
|
|
|
KerbUnlockTicketCache();
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionLocked = FALSE;
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to create AP request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// If we aren't doing DCE style, add in the GSS token headers now
|
|
//
|
|
|
|
if ((*ContextFlags & ISC_RET_USED_DCE_STYLE) != 0)
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Pick the correct OID
|
|
//
|
|
|
|
|
|
if ((ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0)
|
|
{
|
|
MechId = gss_mech_krb5_u2u;
|
|
}
|
|
else
|
|
{
|
|
MechId = gss_mech_krb5_new;
|
|
}
|
|
|
|
RequestSize = g_token_size(MechId, *ApRequestSize);
|
|
RequestWithHeader = (PUCHAR) KerbAllocate(RequestSize);
|
|
if (RequestWithHeader == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// the g_make_token_header will reset this to point to the end of the
|
|
// header
|
|
//
|
|
|
|
RequestStart = RequestWithHeader;
|
|
|
|
g_make_token_header(
|
|
MechId,
|
|
*ApRequestSize,
|
|
&RequestStart,
|
|
KG_TOK_CTX_AP_REQ
|
|
);
|
|
|
|
DsysAssert(RequestStart - RequestWithHeader + *ApRequestSize == RequestSize);
|
|
|
|
RtlCopyMemory(
|
|
RequestStart,
|
|
*MarshalledApRequest,
|
|
*ApRequestSize
|
|
);
|
|
|
|
KerbFree(*MarshalledApRequest);
|
|
*MarshalledApRequest = RequestWithHeader;
|
|
*ApRequestSize = RequestSize;
|
|
RequestWithHeader = NULL;
|
|
|
|
Cleanup:
|
|
|
|
if (LogonSessionLocked)
|
|
{
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
}
|
|
if (GssChecksum.checksum.value != NULL)
|
|
{
|
|
KerbFree(GssChecksum.checksum.value);
|
|
}
|
|
if (!NT_SUCCESS(Status) && (*MarshalledApRequest != NULL))
|
|
{
|
|
KerbFree(*MarshalledApRequest);
|
|
*MarshalledApRequest = NULL;
|
|
}
|
|
return(Status);
|
|
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildNullSessionApRequest
|
|
//
|
|
// Synopsis: builds an AP request for a null session
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
NTSTATUS
|
|
KerbBuildNullSessionApRequest(
|
|
OUT PUCHAR * MarshalledApRequest,
|
|
OUT PULONG ApRequestSize
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERBERR KerbErr;
|
|
KERB_AP_REQUEST ApRequest;
|
|
UNICODE_STRING NullString = CONSTANT_UNICODE_STRING(L"");
|
|
UCHAR TempBuffer[1];
|
|
ULONG RequestSize;
|
|
PUCHAR RequestWithHeader = NULL;
|
|
PUCHAR RequestStart;
|
|
|
|
RtlZeroMemory(
|
|
&ApRequest,
|
|
sizeof(KERB_AP_REQUEST)
|
|
);
|
|
|
|
|
|
TempBuffer[0] = '\0';
|
|
|
|
//
|
|
// Fill in the AP request structure.
|
|
//
|
|
|
|
ApRequest.version = KERBEROS_VERSION;
|
|
ApRequest.message_type = KRB_AP_REQ;
|
|
|
|
//
|
|
// Fill in mandatory fields - ASN1/OSS requires this
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbConvertStringToPrincipalName(
|
|
&ApRequest.ticket.server_name,
|
|
&NullString,
|
|
KRB_NT_UNKNOWN
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (!KERB_SUCCESS(KerbConvertUnicodeStringToRealm(
|
|
&ApRequest.ticket.realm,
|
|
&NullString
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ApRequest.ticket.encrypted_part.cipher_text.length = 1;
|
|
ApRequest.ticket.encrypted_part.cipher_text.value = TempBuffer;
|
|
ApRequest.authenticator.cipher_text.length = 1;
|
|
ApRequest.authenticator.cipher_text.value = TempBuffer;
|
|
|
|
|
|
//
|
|
// Now marshall the request
|
|
//
|
|
|
|
KerbErr = KerbPackApRequest(
|
|
&ApRequest,
|
|
ApRequestSize,
|
|
MarshalledApRequest
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to pack AP request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Since we never do null sessions with user-to-user, we don't have
|
|
// to worry about which mech id to use
|
|
//
|
|
|
|
RequestSize = g_token_size((gss_OID) gss_mech_krb5_new, *ApRequestSize);
|
|
|
|
RequestWithHeader = (PUCHAR) KerbAllocate(RequestSize);
|
|
if (RequestWithHeader == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// the g_make_token_header will reset this to point to the end of the
|
|
// header
|
|
//
|
|
|
|
RequestStart = RequestWithHeader;
|
|
|
|
g_make_token_header(
|
|
(gss_OID) gss_mech_krb5_new,
|
|
*ApRequestSize,
|
|
&RequestStart,
|
|
KG_TOK_CTX_AP_REQ
|
|
);
|
|
|
|
DsysAssert(RequestStart - RequestWithHeader + *ApRequestSize == RequestSize);
|
|
|
|
RtlCopyMemory(
|
|
RequestStart,
|
|
*MarshalledApRequest,
|
|
*ApRequestSize
|
|
);
|
|
|
|
KerbFree(*MarshalledApRequest);
|
|
*MarshalledApRequest = RequestWithHeader;
|
|
*ApRequestSize = RequestSize;
|
|
RequestWithHeader = NULL;
|
|
|
|
Cleanup:
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
if (*MarshalledApRequest != NULL)
|
|
{
|
|
MIDL_user_free(*MarshalledApRequest);
|
|
*MarshalledApRequest = NULL;
|
|
}
|
|
}
|
|
KerbFreeRealm(&ApRequest.ticket.realm);
|
|
KerbFreePrincipalName(&ApRequest.ticket.server_name);
|
|
return(Status);
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbMakeSocketCall
|
|
//
|
|
// Synopsis: Contains logic for sending a message to a KDC in the
|
|
// specified realm on a specified port
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbMakeSocketCall(
|
|
IN PUNICODE_STRING RealmName,
|
|
IN OPTIONAL PUNICODE_STRING AccountName,
|
|
IN BOOLEAN CallPDC,
|
|
IN BOOLEAN UseTcp,
|
|
IN BOOLEAN CallKpasswd,
|
|
IN PKERB_MESSAGE_BUFFER RequestMessage,
|
|
IN PKERB_MESSAGE_BUFFER ReplyMessage,
|
|
IN OPTIONAL PKERB_BINDING_CACHE_ENTRY OptionalBindingHandle,
|
|
IN ULONG AdditionalFlags,
|
|
OUT PBOOLEAN CalledPDC
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
ULONG Retries;
|
|
PKERB_BINDING_CACHE_ENTRY BindingHandle = NULL;
|
|
ULONG DesiredFlags;
|
|
ULONG Timeout = KerbGlobalKdcCallTimeout;
|
|
|
|
|
|
//
|
|
// If the caller wants a PDC, so be it
|
|
//
|
|
|
|
*CalledPDC = FALSE;
|
|
|
|
if (CallPDC)
|
|
{
|
|
DesiredFlags = DS_PDC_REQUIRED;
|
|
}
|
|
else
|
|
{
|
|
DesiredFlags = 0;
|
|
}
|
|
|
|
//
|
|
// Now actually get the ticket. We will retry twice.
|
|
//
|
|
if ((AdditionalFlags & DS_FORCE_REDISCOVERY) != 0)
|
|
{
|
|
DesiredFlags |= DS_FORCE_REDISCOVERY;
|
|
D_DebugLog((DEB_TRACE,"KerbMakeSocketCall() caller wants rediscovery!\n"));
|
|
}
|
|
|
|
Retries = 0;
|
|
do
|
|
{
|
|
|
|
|
|
//
|
|
// don't force retry the first time
|
|
//
|
|
|
|
if (Retries > 0)
|
|
{
|
|
DesiredFlags |= DS_FORCE_REDISCOVERY;
|
|
Timeout += KerbGlobalKdcCallBackoff;
|
|
}
|
|
|
|
// Use ADSI supplied info, then retry using cached version
|
|
if (ARGUMENT_PRESENT(OptionalBindingHandle) && (Retries == 0))
|
|
{
|
|
BindingHandle = OptionalBindingHandle;
|
|
}
|
|
else
|
|
{
|
|
Status = KerbGetKdcBinding(
|
|
RealmName,
|
|
AccountName,
|
|
DesiredFlags,
|
|
CallKpasswd,
|
|
UseTcp,
|
|
&BindingHandle
|
|
);
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_WARN,"Failed to get KDC binding for %wZ: 0x%x\n",
|
|
RealmName, Status));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If the KDC doesn't support TCP, don't use TCP. Otherwise
|
|
// use it if the sending buffer is too big, or if it was already
|
|
// set.
|
|
//
|
|
|
|
if ((BindingHandle->CacheFlags & KERB_BINDING_NO_TCP) != 0)
|
|
{
|
|
UseTcp = FALSE;
|
|
}
|
|
else
|
|
{
|
|
if (RequestMessage->BufferSize > KerbGlobalMaxDatagramSize)
|
|
{
|
|
UseTcp = TRUE;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Lock the binding while we make the call
|
|
//
|
|
|
|
if (!*CalledPDC)
|
|
{
|
|
*CalledPDC = (BindingHandle->Flags & DS_PDC_REQUIRED) ? TRUE : FALSE;
|
|
}
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
if ((BindingHandle->CacheFlags & KERB_BINDING_LOCAL) != 0)
|
|
{
|
|
KERB_MESSAGE_BUFFER KdcReplyMessage = {0};
|
|
if (!CallKpasswd)
|
|
{
|
|
|
|
D_DebugLog((DEB_TRACE,"Calling kdc directly\n"));
|
|
|
|
DsysAssert(KerbKdcGetTicket != NULL);
|
|
KerbErr = (*KerbKdcGetTicket)(
|
|
NULL, // no context,
|
|
NULL, // no client address
|
|
NULL, // no server address
|
|
RequestMessage,
|
|
&KdcReplyMessage
|
|
);
|
|
}
|
|
else
|
|
{
|
|
DsysAssert(KerbKdcChangePassword != NULL);
|
|
KerbErr = (*KerbKdcChangePassword)(
|
|
NULL, // no context,
|
|
NULL, // no client address
|
|
NULL, // no server address
|
|
RequestMessage,
|
|
&KdcReplyMessage
|
|
);
|
|
}
|
|
if (KerbErr != KDC_ERR_NOT_RUNNING)
|
|
{
|
|
//
|
|
// Copy the data so it can be freed with MIDL_user_free.
|
|
//
|
|
|
|
ReplyMessage->BufferSize = KdcReplyMessage.BufferSize;
|
|
ReplyMessage->Buffer = (PUCHAR) MIDL_user_allocate(
|
|
KdcReplyMessage.BufferSize);
|
|
if (ReplyMessage->Buffer != NULL)
|
|
{
|
|
RtlCopyMemory(
|
|
ReplyMessage->Buffer,
|
|
KdcReplyMessage.Buffer,
|
|
KdcReplyMessage.BufferSize
|
|
);
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
(*KerbKdcFreeMemory)(KdcReplyMessage.Buffer);
|
|
goto Cleanup;
|
|
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// The KDC said it wasn't running.
|
|
//
|
|
|
|
KerbKdcStarted = FALSE;
|
|
Status = STATUS_NETLOGON_NOT_STARTED;
|
|
|
|
//
|
|
// Get rid of the binding handle so we don't use it again.
|
|
// Don't whack supplied optional binding handle though
|
|
//
|
|
if (BindingHandle != OptionalBindingHandle)
|
|
{
|
|
KerbRemoveBindingCacheEntry( BindingHandle );
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
else
|
|
#endif // WIN32_CHICAGO
|
|
{
|
|
DebugLog((DEB_TRACE,"Calling kdc %wZ for realm %S\n",&BindingHandle->KdcAddress, RealmName->Buffer));
|
|
Status = KerbCallKdc(
|
|
&BindingHandle->KdcAddress,
|
|
BindingHandle->AddressType,
|
|
Timeout,
|
|
!UseTcp,
|
|
CallKpasswd ? KERB_KPASSWD_PORT : KERB_KDC_PORT,
|
|
RequestMessage,
|
|
ReplyMessage
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status) )
|
|
{
|
|
//
|
|
// If the request used UDP and we got an invalid buffer size error,
|
|
// try again with TCP.
|
|
//
|
|
|
|
if ((Status == STATUS_INVALID_BUFFER_SIZE) && (!UseTcp)) {
|
|
|
|
if ((BindingHandle->CacheFlags & KERB_BINDING_NO_TCP) == 0)
|
|
{
|
|
|
|
UseTcp = TRUE;
|
|
Status = KerbCallKdc(
|
|
&BindingHandle->KdcAddress,
|
|
BindingHandle->AddressType,
|
|
Timeout,
|
|
!UseTcp,
|
|
CallKpasswd ? KERB_KPASSWD_PORT : KERB_KDC_PORT,
|
|
RequestMessage,
|
|
ReplyMessage
|
|
);
|
|
}
|
|
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to get make call to KDC %wZ: 0x%x. %ws, line %d\n",
|
|
&BindingHandle->KdcAddress,Status, THIS_FILE, __LINE__));
|
|
//
|
|
// The call itself failed, so the binding handle was bad.
|
|
// Free it now, unless supplied as optional binding handle.
|
|
//
|
|
if (BindingHandle != OptionalBindingHandle)
|
|
{
|
|
KerbRemoveBindingCacheEntry( BindingHandle );
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (BindingHandle != OptionalBindingHandle)
|
|
{
|
|
KerbDereferenceBindingCacheEntry( BindingHandle );
|
|
Retries++;
|
|
}
|
|
|
|
BindingHandle = NULL;
|
|
|
|
} while ( !NT_SUCCESS(Status) && (Retries < KerbGlobalKdcSendRetries) );
|
|
|
|
|
|
Cleanup:
|
|
if ((BindingHandle != NULL) && (BindingHandle != OptionalBindingHandle))
|
|
{
|
|
KerbDereferenceBindingCacheEntry(BindingHandle);
|
|
}
|
|
|
|
return(Status);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbMakeKdcCall
|
|
//
|
|
// Synopsis: Contains logic for calling a KDC including binding and
|
|
// retrying.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbMakeKdcCall(
|
|
IN PUNICODE_STRING RealmName,
|
|
IN OPTIONAL PUNICODE_STRING AccountName,
|
|
IN BOOLEAN CallPDC,
|
|
IN BOOLEAN UseTcp,
|
|
IN PKERB_MESSAGE_BUFFER RequestMessage,
|
|
IN PKERB_MESSAGE_BUFFER ReplyMessage,
|
|
IN ULONG AdditionalFlags,
|
|
OUT PBOOLEAN CalledPDC
|
|
)
|
|
{
|
|
|
|
if (ARGUMENT_PRESENT(AccountName))
|
|
{
|
|
D_DebugLog((DEB_ERROR, "[trace info] Making DsGetDcName w/ account name\n"));
|
|
}
|
|
|
|
return(KerbMakeSocketCall(
|
|
RealmName,
|
|
AccountName,
|
|
CallPDC,
|
|
UseTcp,
|
|
FALSE, // don't call Kpasswd
|
|
RequestMessage,
|
|
ReplyMessage,
|
|
NULL, // optional binding cache handle, for kpasswd only
|
|
AdditionalFlags,
|
|
CalledPDC
|
|
));
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbComputeTgsChecksum
|
|
//
|
|
// Synopsis: computes the checksum of a TGS request body by marshalling
|
|
// the request and the checksumming it.
|
|
//
|
|
// Effects: Allocates destination with KerbAllocate().
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbComputeTgsChecksum(
|
|
IN PKERB_KDC_REQUEST_BODY RequestBody,
|
|
IN PKERB_ENCRYPTION_KEY Key,
|
|
IN ULONG ChecksumType,
|
|
OUT PKERB_CHECKSUM Checksum
|
|
)
|
|
{
|
|
PCHECKSUM_FUNCTION ChecksumFunction;
|
|
PCHECKSUM_BUFFER CheckBuffer = NULL;
|
|
KERB_MESSAGE_BUFFER MarshalledRequestBody = {0, NULL};
|
|
NTSTATUS Status;
|
|
|
|
RtlZeroMemory(
|
|
Checksum,
|
|
sizeof(KERB_CHECKSUM)
|
|
);
|
|
|
|
Status = CDLocateCheckSum(
|
|
ChecksumType,
|
|
&ChecksumFunction
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Allocate enough space for the checksum
|
|
//
|
|
|
|
Checksum->checksum.value = (PUCHAR) KerbAllocate(ChecksumFunction->CheckSumSize);
|
|
if (Checksum->checksum.value == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
Checksum->checksum.length = ChecksumFunction->CheckSumSize;
|
|
Checksum->checksum_type = (int) ChecksumType;
|
|
|
|
// don't av here.
|
|
|
|
if ((ChecksumType == KERB_CHECKSUM_REAL_CRC32) ||
|
|
(ChecksumType == KERB_CHECKSUM_CRC32))
|
|
{
|
|
if (ChecksumFunction->Initialize)
|
|
{
|
|
Status = ChecksumFunction->Initialize(
|
|
0,
|
|
&CheckBuffer
|
|
);
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_CRYPTO_SYSTEM_INVALID;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
if (ChecksumFunction->InitializeEx2)
|
|
{
|
|
Status = ChecksumFunction->InitializeEx2(
|
|
Key->keyvalue.value,
|
|
(ULONG) Key->keyvalue.length,
|
|
NULL,
|
|
KERB_TGS_REQ_AP_REQ_AUTH_CKSUM_SALT,
|
|
&CheckBuffer
|
|
);
|
|
}
|
|
else if (ChecksumFunction->InitializeEx)
|
|
{
|
|
Status = ChecksumFunction->InitializeEx(
|
|
Key->keyvalue.value,
|
|
(ULONG) Key->keyvalue.length,
|
|
KERB_TGS_REQ_AP_REQ_AUTH_CKSUM_SALT,
|
|
&CheckBuffer
|
|
);
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_CRYPTO_SYSTEM_INVALID;
|
|
}
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (!KERB_SUCCESS(KerbPackData(
|
|
RequestBody,
|
|
KERB_MARSHALLED_REQUEST_BODY_PDU,
|
|
&MarshalledRequestBody.BufferSize,
|
|
&MarshalledRequestBody.Buffer
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now checksum the buffer
|
|
//
|
|
|
|
ChecksumFunction->Sum(
|
|
CheckBuffer,
|
|
MarshalledRequestBody.BufferSize,
|
|
MarshalledRequestBody.Buffer
|
|
);
|
|
|
|
ChecksumFunction->Finalize(
|
|
CheckBuffer,
|
|
Checksum->checksum.value
|
|
);
|
|
|
|
|
|
Cleanup:
|
|
if (CheckBuffer != NULL)
|
|
{
|
|
ChecksumFunction->Finish(&CheckBuffer);
|
|
}
|
|
if (MarshalledRequestBody.Buffer != NULL)
|
|
{
|
|
MIDL_user_free(MarshalledRequestBody.Buffer);
|
|
}
|
|
if (!NT_SUCCESS(Status) && (Checksum->checksum.value != NULL))
|
|
{
|
|
MIDL_user_free(Checksum->checksum.value);
|
|
Checksum->checksum.value = NULL;
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbGetTgsTicket
|
|
//
|
|
// Synopsis: Gets a ticket to the specified target with the specified
|
|
// options.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ClientRealm
|
|
// TicketGrantingTicket - TGT to use for the TGS request
|
|
// TargetName - Name of the target for which to obtain a ticket.
|
|
// TicketOptions - Optionally contains requested KDC options flags
|
|
// Flags
|
|
// TicketOptions
|
|
// EncryptionType - Optionally contains requested encryption type
|
|
// AuthorizationData - Optional authorization data to stick
|
|
// in the ticket.
|
|
// KdcReply - the ticket to be used for getting a ticket with
|
|
// the enc_tkt_in_skey flag.
|
|
// ReplyBody - Receives the kdc reply.
|
|
// pRetryFlags
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: Kerberos errors and NT errors
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
KerbGetTgsTicket(
|
|
IN PUNICODE_STRING ClientRealm,
|
|
IN PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket,
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN ULONG Flags,
|
|
IN OPTIONAL ULONG TicketOptions,
|
|
IN OPTIONAL ULONG EncryptionType,
|
|
IN OPTIONAL PKERB_AUTHORIZATION_DATA AuthorizationData,
|
|
IN OPTIONAL PKERB_PA_DATA_LIST PADataList,
|
|
IN OPTIONAL PKERB_TGT_REPLY TgtReply,
|
|
OUT PKERB_KDC_REPLY * KdcReply,
|
|
OUT PKERB_ENCRYPTED_KDC_REPLY * ReplyBody,
|
|
OUT PULONG pRetryFlags
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERB_KDC_REQUEST TicketRequest;
|
|
PKERB_KDC_REQUEST_BODY RequestBody = &TicketRequest.request_body;
|
|
PKERB_SPN_CACHE_ENTRY SpnCacheEntry = NULL;
|
|
PULONG CryptVector = NULL;
|
|
ULONG EncryptionTypeCount = 0;
|
|
PKERB_EXT_ERROR pExtendedError = NULL;
|
|
ULONG Nonce;
|
|
KERB_PA_DATA_LIST ApRequest = {0};
|
|
KERBERR KerbErr;
|
|
KERB_MESSAGE_BUFFER RequestMessage = {0, NULL};
|
|
KERB_MESSAGE_BUFFER ReplyMessage = {0, NULL};
|
|
BOOLEAN DoRetryGetTicket = FALSE;
|
|
BOOLEAN RetriedOnce = FALSE;
|
|
UNICODE_STRING TempDomainName = NULL_UNICODE_STRING;
|
|
KERB_CHECKSUM RequestChecksum = {0};
|
|
BOOLEAN CalledPdc;
|
|
KERB_TICKET_LIST TicketList;
|
|
ULONG KdcOptions = 0;
|
|
ULONG KdcFlagOptions;
|
|
PKERB_MIT_REALM MitRealm = NULL;
|
|
BOOLEAN UsedAlternateName = FALSE;
|
|
BOOLEAN UseTcp = FALSE;
|
|
BOOLEAN fMitRealmPossibleRetry = FALSE;
|
|
|
|
KERB_ENCRYPTED_DATA EncAuthData = {0};
|
|
|
|
#ifdef RESTRICTED_TOKEN
|
|
|
|
if (AuthorizationData != NULL)
|
|
{
|
|
Status = KerbBuildEncryptedAuthData(
|
|
&EncAuthData,
|
|
TicketGrantingTicket,
|
|
AuthorizationData
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to encrypt auth data: 0x%x\n",Status));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// This is the retry point if we need to retry getting a TGS ticket
|
|
//
|
|
|
|
RetryGetTicket:
|
|
|
|
RtlZeroMemory(
|
|
&ApRequest,
|
|
sizeof(KERB_PA_DATA_LIST)
|
|
);
|
|
|
|
RtlZeroMemory(
|
|
&RequestChecksum,
|
|
sizeof(KERB_CHECKSUM)
|
|
);
|
|
|
|
RtlZeroMemory(
|
|
&TicketRequest,
|
|
sizeof(KERB_KDC_REQUEST)
|
|
);
|
|
|
|
*KdcReply = NULL;
|
|
*ReplyBody = NULL;
|
|
|
|
//
|
|
// Fill in the ticket request with the defaults.
|
|
//
|
|
|
|
KerbConvertLargeIntToGeneralizedTime(
|
|
&RequestBody->endtime,
|
|
NULL,
|
|
&KerbGlobalWillNeverTime // use HasNeverTime instead
|
|
);
|
|
|
|
KerbConvertLargeIntToGeneralizedTime(
|
|
&RequestBody->KERB_KDC_REQUEST_BODY_renew_until,
|
|
NULL,
|
|
&KerbGlobalHasNeverTime // use HasNeverTime instead
|
|
);
|
|
|
|
//
|
|
// If the caller supplied kdc options, use those
|
|
//
|
|
|
|
if (TicketOptions != 0)
|
|
{
|
|
KdcOptions = TicketOptions;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Some missing (TGT) ticket options will result in a ticket not being
|
|
// granted. Others (such as name_canon.) will be usable by W2k KDCs
|
|
// Make sure we can modify these so we can turn "on" various options
|
|
// later.
|
|
//
|
|
KdcOptions = (KERB_DEFAULT_TICKET_FLAGS &
|
|
TicketGrantingTicket->TicketFlags) |
|
|
KerbGlobalKdcOptions;
|
|
}
|
|
|
|
Nonce = KerbAllocateNonce();
|
|
|
|
RequestBody->nonce = Nonce;
|
|
if (AuthorizationData != NULL)
|
|
{
|
|
RequestBody->enc_authorization_data = EncAuthData;
|
|
RequestBody->bit_mask |= enc_authorization_data_present;
|
|
}
|
|
|
|
//
|
|
// Build crypt vector.
|
|
//
|
|
|
|
//
|
|
// First get the count of encryption types
|
|
//
|
|
|
|
(VOID) CDBuildIntegrityVect( &EncryptionTypeCount, NULL );
|
|
|
|
//
|
|
// Now allocate the crypt vector
|
|
//
|
|
|
|
CryptVector = (PULONG) KerbAllocate(sizeof(ULONG) * EncryptionTypeCount );
|
|
if (CryptVector == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now get the list of encrypt types
|
|
//
|
|
|
|
(VOID) CDBuildIntegrityVect( &EncryptionTypeCount, CryptVector );
|
|
|
|
if (EncryptionTypeCount == 0)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If caller didn't specify a favorite etype, send all that we support
|
|
//
|
|
|
|
if (EncryptionType != 0)
|
|
{
|
|
//
|
|
// Swap the first one with the encryption type requested.
|
|
// do this only if the first isn't already what is requested.
|
|
//
|
|
|
|
UINT i = 0;
|
|
ULONG FirstOne = CryptVector[0];
|
|
if (CryptVector[i] != EncryptionType)
|
|
{
|
|
|
|
CryptVector[i] = EncryptionType;
|
|
for ( i = 1; i < EncryptionTypeCount;i++)
|
|
{
|
|
if (CryptVector[i] == EncryptionType)
|
|
{
|
|
CryptVector[i] = FirstOne;
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// convert the array to a crypt list in the request
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbConvertArrayToCryptList(
|
|
&RequestBody->encryption_type,
|
|
CryptVector,
|
|
EncryptionTypeCount)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If a TGT reply is present, stick the TGT into the ticket in the
|
|
// additional tickets field and include set the enc_tkt_in_skey option.
|
|
// The ticket that comes back will be encrypted with the session key
|
|
// from the supplied TGT.
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT( TgtReply ))
|
|
{
|
|
D_DebugLog((DEB_TRACE_U2U, "KerbGetTgsTicket setting KERB_KDC_OPTIONS_enc_tkt_in_skey\n"));
|
|
|
|
TicketList.next = NULL;
|
|
TicketList.value = TgtReply->ticket;
|
|
RequestBody->additional_tickets = &TicketList;
|
|
RequestBody->bit_mask |= additional_tickets_present;
|
|
KdcOptions |= KERB_KDC_OPTIONS_enc_tkt_in_skey;
|
|
}
|
|
|
|
//
|
|
// Fill in the strings in the ticket request
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbConvertKdcNameToPrincipalName(
|
|
&RequestBody->KERB_KDC_REQUEST_BODY_server_name,
|
|
TargetName
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
RequestBody->bit_mask |= KERB_KDC_REQUEST_BODY_server_name_present;
|
|
|
|
|
|
//
|
|
// Copy the domain name so we don't need to hold the lock
|
|
//
|
|
|
|
Status = KerbDuplicateString(
|
|
&TempDomainName,
|
|
&TicketGrantingTicket->TargetDomainName
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check if this is an MIT kdc or if the spn had a realm in it (e.g,
|
|
// a/b/c@realm - if so, turn off name canonicalization
|
|
//
|
|
|
|
if ((Flags & KERB_GET_TICKET_NO_CANONICALIZE) != 0)
|
|
{
|
|
KdcOptions &= ~KERB_KDC_OPTIONS_name_canonicalize;
|
|
}
|
|
else if (KerbLookupMitRealm(
|
|
&TempDomainName,
|
|
&MitRealm,
|
|
&UsedAlternateName
|
|
))
|
|
{
|
|
//
|
|
// So the user is getting a ticket from an MIT realm. This means
|
|
// if the MIT realm flags don't indicate that name canonicalization
|
|
// is supported then we don't ask for name canonicalization
|
|
//
|
|
|
|
if ((MitRealm->Flags & KERB_MIT_REALM_DOES_CANONICALIZE) == 0)
|
|
{
|
|
fMitRealmPossibleRetry = TRUE;
|
|
KdcOptions &= ~KERB_KDC_OPTIONS_name_canonicalize;
|
|
}
|
|
|
|
else
|
|
{
|
|
KdcOptions |= KERB_KDC_OPTIONS_name_canonicalize;
|
|
}
|
|
|
|
}
|
|
|
|
KdcFlagOptions = KerbConvertUlongToFlagUlong(KdcOptions);
|
|
RequestBody->kdc_options.length = sizeof(ULONG) * 8;
|
|
RequestBody->kdc_options.value = (PUCHAR) &KdcFlagOptions;
|
|
|
|
//
|
|
// Marshall the request and compute a checksum of it
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbConvertUnicodeStringToRealm(
|
|
&RequestBody->realm,
|
|
&TempDomainName
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReadLockTicketCache();
|
|
|
|
//
|
|
// Now compute a checksum of that data
|
|
//
|
|
|
|
Status = KerbComputeTgsChecksum(
|
|
RequestBody,
|
|
&TicketGrantingTicket->SessionKey,
|
|
(MitRealm != NULL) ? MitRealm->ApReqChecksumType : KERB_DEFAULT_AP_REQ_CSUM,
|
|
&RequestChecksum
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
KerbUnlockTicketCache();
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Create the AP request to the KDC for the ticket to the service
|
|
//
|
|
|
|
RetryWithTcp:
|
|
|
|
//
|
|
// Lock the ticket cache while we access the cached tickets
|
|
//
|
|
|
|
KerbErr = KerbCreateApRequest(
|
|
TicketGrantingTicket->ClientName,
|
|
ClientRealm,
|
|
&TicketGrantingTicket->SessionKey,
|
|
NULL, // no subsessionkey
|
|
Nonce,
|
|
&TicketGrantingTicket->Ticket,
|
|
0, // no AP options
|
|
&RequestChecksum,
|
|
&TicketGrantingTicket->TimeSkew, // server time
|
|
TRUE, // kdc request
|
|
(PULONG) &ApRequest.value.preauth_data.length,
|
|
&ApRequest.value.preauth_data.value
|
|
);
|
|
|
|
KerbUnlockTicketCache();
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to create authenticator: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ApRequest.next = NULL;
|
|
ApRequest.value.preauth_data_type = KRB5_PADATA_TGS_REQ;
|
|
TicketRequest.KERB_KDC_REQUEST_preauth_data = &ApRequest;
|
|
TicketRequest.bit_mask |= KERB_KDC_REQUEST_preauth_data_present;
|
|
|
|
// Insert additonal preauth into list
|
|
if (ARGUMENT_PRESENT(PADataList))
|
|
{
|
|
// better be NULL padatalist
|
|
ApRequest.next = PADataList;
|
|
}
|
|
else
|
|
{
|
|
ApRequest.next = NULL;
|
|
}
|
|
|
|
//
|
|
// Marshall the request
|
|
//
|
|
|
|
TicketRequest.version = KERBEROS_VERSION;
|
|
TicketRequest.message_type = KRB_TGS_REQ;
|
|
|
|
//
|
|
// Pack the request
|
|
//
|
|
|
|
KerbErr = KerbPackTgsRequest(
|
|
&TicketRequest,
|
|
&RequestMessage.BufferSize,
|
|
&RequestMessage.Buffer
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now actually get the ticket. We will retry once.
|
|
//
|
|
|
|
Status = KerbMakeKdcCall(
|
|
&TempDomainName,
|
|
NULL, // **NEVER* call w/ account
|
|
FALSE, // don't require PDC
|
|
UseTcp,
|
|
&RequestMessage,
|
|
&ReplyMessage,
|
|
0, // no additional flags (yet)
|
|
&CalledPdc
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to call KDC for TGS request: 0x%x. %ws, line %d\n",Status, THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbErr = KerbUnpackTgsReply(
|
|
ReplyMessage.Buffer,
|
|
ReplyMessage.BufferSize,
|
|
KdcReply
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
PKERB_ERROR ErrorMessage = NULL;
|
|
D_DebugLog((DEB_WARN,"Failed to unpack KDC reply: 0x%x\n",
|
|
KerbErr ));
|
|
|
|
//
|
|
// Try to unpack it as kerb_error
|
|
//
|
|
|
|
KerbErr = KerbUnpackKerbError(
|
|
ReplyMessage.Buffer,
|
|
ReplyMessage.BufferSize,
|
|
&ErrorMessage
|
|
);
|
|
if (KERB_SUCCESS(KerbErr))
|
|
{
|
|
if (ErrorMessage->bit_mask & error_data_present)
|
|
{
|
|
KerbUnpackErrorData(
|
|
ErrorMessage,
|
|
&pExtendedError
|
|
);
|
|
}
|
|
|
|
KerbErr = (KERBERR) ErrorMessage->error_code;
|
|
|
|
KerbReportKerbError(
|
|
TargetName,
|
|
&TempDomainName,
|
|
NULL,
|
|
NULL,
|
|
KLIN(FILENO, __LINE__),
|
|
ErrorMessage,
|
|
KerbErr,
|
|
pExtendedError,
|
|
FALSE
|
|
);
|
|
|
|
|
|
//
|
|
// Check for time skew. If we got a skew error, record the time
|
|
// skew between here and the KDC in the ticket so we can retry
|
|
// with the correct time.
|
|
//
|
|
|
|
if (KerbErr == KRB_AP_ERR_SKEW)
|
|
{
|
|
TimeStamp CurrentTime;
|
|
TimeStamp KdcTime;
|
|
|
|
//
|
|
// Only update failures with the same ticket once
|
|
//
|
|
|
|
if (KerbGetTime(TicketGrantingTicket->TimeSkew) == 0)
|
|
{
|
|
KerbUpdateSkewTime(TRUE);
|
|
}
|
|
|
|
GetSystemTimeAsFileTime((PFILETIME) &CurrentTime);
|
|
|
|
|
|
KerbConvertGeneralizedTimeToLargeInt(
|
|
&KdcTime,
|
|
&ErrorMessage->server_time,
|
|
ErrorMessage->server_usec
|
|
);
|
|
|
|
KerbWriteLockTicketCache();
|
|
|
|
#if 0
|
|
D_DebugLog(( DEB_WARN, "KDC time : \n" ));
|
|
DebugDisplayTime( DEB_WARN, (PFILETIME)&KdcTime);
|
|
D_DebugLog(( DEB_WARN, "Current time : \n" ));
|
|
DebugDisplayTime( DEB_WARN, (PFILETIME)&CurrentTime);
|
|
#endif
|
|
KerbSetTime(&TicketGrantingTicket->TimeSkew, KerbGetTime(KdcTime) - KerbGetTime(CurrentTime));
|
|
|
|
KerbUnlockTicketCache();
|
|
DoRetryGetTicket = TRUE;
|
|
}
|
|
else if ((KerbErr == KRB_ERR_RESPONSE_TOO_BIG) && (!UseTcp))
|
|
{
|
|
//
|
|
// The KDC response was too big to fit in a datagram. If
|
|
// we aren't already using TCP use it now.
|
|
//
|
|
UseTcp = TRUE;
|
|
KerbFreeKerbError(ErrorMessage);
|
|
ErrorMessage = NULL;
|
|
MIDL_user_free(ReplyMessage.Buffer);
|
|
ReplyMessage.Buffer = NULL;
|
|
KerbReadLockTicketCache();
|
|
goto RetryWithTcp;
|
|
|
|
}
|
|
else if (KerbErr == KDC_ERR_S_PRINCIPAL_UNKNOWN)
|
|
{
|
|
if (EXT_CLIENT_INFO_PRESENT(pExtendedError) && (STATUS_USER2USER_REQUIRED == pExtendedError->status))
|
|
{
|
|
DebugLog((DEB_WARN, "KerbGetTgsTicket received KDC_ERR_S_PRINCIPAL_UNKNOWN and STATUS_USER2USER_REQUIRED\n"));
|
|
Status = STATUS_USER2USER_REQUIRED;
|
|
KerbFreeKerbError(ErrorMessage);
|
|
goto Cleanup;
|
|
}
|
|
//
|
|
// This looks to be the MIT Realm retry case, where name canonicalization
|
|
// is not on and the PRINCIPAL_UNKNOWN was returned by the MIT KDC
|
|
//
|
|
else if (fMitRealmPossibleRetry)
|
|
{
|
|
*pRetryFlags |= KERB_MIT_NO_CANONICALIZE_RETRY;
|
|
D_DebugLog((DEB_TRACE,"KerbCallKdc: this is the MIT retry case\n"));
|
|
}
|
|
}
|
|
|
|
//
|
|
// Semi-hack here. Bad option rarely is returned, and usually
|
|
// indicates your TGT is about to expire. TKT_EXPIRED is also
|
|
// potentially recoverable. Check the e_data to
|
|
// see if we should blow away TGT to fix TGS problem.
|
|
//
|
|
else if ((KerbErr == KDC_ERR_BADOPTION) ||
|
|
(KerbErr == KRB_AP_ERR_TKT_EXPIRED))
|
|
{
|
|
if (NULL != pExtendedError)
|
|
{
|
|
Status = pExtendedError->status;
|
|
if (Status == STATUS_TIME_DIFFERENCE_AT_DC)
|
|
{
|
|
*pRetryFlags |= KERB_RETRY_WITH_NEW_TGT;
|
|
D_DebugLog((DEB_TRACE, "Hit bad option retry case - %x \n", KerbErr));
|
|
}
|
|
}
|
|
}
|
|
//
|
|
// Per bug 315833, we purge on these errors as well
|
|
//
|
|
else if ((KerbErr == KDC_ERR_C_OLD_MAST_KVNO) ||
|
|
(KerbErr == KDC_ERR_CLIENT_REVOKED) ||
|
|
(KerbErr == KDC_ERR_TGT_REVOKED) ||
|
|
(KerbErr == KDC_ERR_NEVER_VALID) ||
|
|
(KerbErr == KRB_AP_ERR_BAD_INTEGRITY))
|
|
{
|
|
*pRetryFlags |= KERB_RETRY_WITH_NEW_TGT;
|
|
D_DebugLog((DEB_TRACE, "Got error requiring new tgt\n"));
|
|
}
|
|
else if (KerbErr == KDC_ERR_NONE)
|
|
{
|
|
DebugLog((DEB_ERROR, "KerbGetTgsTicket KerbCallKdc: error KDC_ERR_NONE\n"));
|
|
KerbErr = KRB_ERR_GENERIC;
|
|
}
|
|
|
|
KerbFreeKerbError(ErrorMessage);
|
|
DebugLog((DEB_WARN,"KerbCallKdc: error 0x%x\n",KerbErr));
|
|
Status = KerbMapKerbError(KerbErr);
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_LOGON_FAILURE;
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now unpack the reply body:
|
|
//
|
|
|
|
KerbReadLockTicketCache();
|
|
|
|
KerbErr = KerbUnpackKdcReplyBody(
|
|
&(*KdcReply)->encrypted_part,
|
|
&TicketGrantingTicket->SessionKey,
|
|
KERB_ENCRYPTED_TGS_REPLY_PDU,
|
|
ReplyBody
|
|
);
|
|
|
|
KerbUnlockTicketCache();
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to decrypt KDC reply body: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Verify the nonce is correct:
|
|
//
|
|
|
|
if (RequestBody->nonce != (*ReplyBody)->nonce)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"AS Nonces don't match: 0x%x vs 0x%x. %ws, line %d\n",
|
|
RequestBody->nonce,
|
|
(*ReplyBody)->nonce, THIS_FILE, __LINE__));
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
Cleanup:
|
|
|
|
if (EncAuthData.cipher_text.value != NULL)
|
|
{
|
|
MIDL_user_free(EncAuthData.cipher_text.value);
|
|
}
|
|
if (RequestChecksum.checksum.value != NULL)
|
|
{
|
|
KerbFree(RequestChecksum.checksum.value);
|
|
}
|
|
|
|
if (CryptVector != NULL)
|
|
{
|
|
KerbFree(CryptVector);
|
|
CryptVector = NULL;
|
|
}
|
|
|
|
KerbFreeCryptList(
|
|
RequestBody->encryption_type
|
|
);
|
|
|
|
|
|
if (ReplyMessage.Buffer != NULL)
|
|
{
|
|
MIDL_user_free(ReplyMessage.Buffer);
|
|
ReplyMessage.Buffer = NULL;
|
|
}
|
|
|
|
if (RequestMessage.Buffer != NULL)
|
|
{
|
|
MIDL_user_free(RequestMessage.Buffer);
|
|
RequestMessage.Buffer = NULL;
|
|
}
|
|
|
|
if (ApRequest.value.preauth_data.value != NULL)
|
|
{
|
|
MIDL_user_free(ApRequest.value.preauth_data.value);
|
|
ApRequest.value.preauth_data.value = NULL;
|
|
}
|
|
|
|
|
|
KerbFreePrincipalName(
|
|
&RequestBody->KERB_KDC_REQUEST_BODY_server_name
|
|
);
|
|
|
|
KerbFreeRealm(
|
|
&RequestBody->realm
|
|
);
|
|
KerbFreeString(
|
|
&TempDomainName
|
|
);
|
|
|
|
if (RequestMessage.Buffer != NULL)
|
|
{
|
|
MIDL_user_free(RequestMessage.Buffer);
|
|
}
|
|
|
|
if (ApRequest.value.preauth_data.value != NULL)
|
|
{
|
|
MIDL_user_free(ApRequest.value.preauth_data.value);
|
|
ApRequest.value.preauth_data.value = NULL;
|
|
}
|
|
|
|
if (NULL != pExtendedError)
|
|
{
|
|
KerbFreeData(KERB_EXT_ERROR_PDU, pExtendedError);
|
|
pExtendedError = NULL;
|
|
}
|
|
|
|
//
|
|
// If we should retry getting the ticket and we haven't already retried
|
|
// once, try again.
|
|
//
|
|
|
|
if (DoRetryGetTicket && !RetriedOnce)
|
|
{
|
|
RetriedOnce = TRUE;
|
|
goto RetryGetTicket;
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbGetReferralNames
|
|
//
|
|
// Synopsis: Gets the referral names from a KDC reply. If none are present,
|
|
// returned strings are empty.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbGetReferralNames(
|
|
IN PKERB_ENCRYPTED_KDC_REPLY KdcReply,
|
|
IN PKERB_INTERNAL_NAME OriginalTargetName,
|
|
OUT PUNICODE_STRING ReferralRealm
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PKERB_PA_DATA_LIST PaEntry;
|
|
PKERB_PA_SERV_REFERRAL ReferralInfo = NULL;
|
|
KERBERR KerbErr;
|
|
PKERB_INTERNAL_NAME TargetName = NULL;
|
|
PKERB_INTERNAL_NAME KpasswdName = NULL;
|
|
|
|
RtlInitUnicodeString(
|
|
ReferralRealm,
|
|
NULL
|
|
);
|
|
|
|
|
|
PaEntry = (PKERB_PA_DATA_LIST) KdcReply->encrypted_pa_data;
|
|
|
|
//
|
|
// Search the list for the referral infromation
|
|
//
|
|
|
|
while (PaEntry != NULL)
|
|
{
|
|
if (PaEntry->value.preauth_data_type == KRB5_PADATA_REFERRAL_INFO)
|
|
{
|
|
break;
|
|
}
|
|
PaEntry = PaEntry->next;
|
|
}
|
|
if (PaEntry == NULL)
|
|
{
|
|
|
|
//
|
|
// Check to see if the server name is krbtgt - if it is, then
|
|
// this is a referral.
|
|
//
|
|
|
|
KerbErr = KerbConvertPrincipalNameToKdcName(
|
|
&TargetName,
|
|
&KdcReply->server_name
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Build the service name for the ticket
|
|
//
|
|
|
|
Status = KerbBuildKpasswdName(
|
|
&KpasswdName
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if ((TargetName->NameCount == 2) &&
|
|
RtlEqualUnicodeString(
|
|
&KerbGlobalKdcServiceName,
|
|
&TargetName->Names[0],
|
|
FALSE // not case sensitive
|
|
) &&
|
|
!(KerbEqualKdcNames(
|
|
OriginalTargetName,
|
|
TargetName) ||
|
|
KerbEqualKdcNames(
|
|
OriginalTargetName,
|
|
KpasswdName) ))
|
|
{
|
|
//
|
|
// This is a referral, so set the referral name to the
|
|
// second portion of the name
|
|
//
|
|
|
|
Status = KerbDuplicateString(
|
|
ReferralRealm,
|
|
&TargetName->Names[1]
|
|
);
|
|
}
|
|
|
|
KerbFreeKdcName(&TargetName);
|
|
KerbFreeKdcName(&KpasswdName);
|
|
|
|
return(Status);
|
|
}
|
|
|
|
//
|
|
// Now try to unpack the data
|
|
//
|
|
|
|
KerbErr = KerbUnpackData(
|
|
PaEntry->value.preauth_data.value,
|
|
PaEntry->value.preauth_data.length,
|
|
KERB_PA_SERV_REFERRAL_PDU,
|
|
(PVOID *) &ReferralInfo
|
|
);
|
|
if (!KERB_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to decode referral info: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
if (!KERB_SUCCESS(KerbConvertRealmToUnicodeString(
|
|
ReferralRealm,
|
|
&ReferralInfo->referred_server_realm
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
KerbFreeKdcName(&TargetName);
|
|
KerbFreeKdcName(&KpasswdName);
|
|
|
|
if (ReferralInfo != NULL)
|
|
{
|
|
KerbFreeData(
|
|
KERB_PA_SERV_REFERRAL_PDU,
|
|
ReferralInfo
|
|
);
|
|
}
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
KerbFreeString(
|
|
ReferralRealm
|
|
);
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbMITGetMachineDomain
|
|
//
|
|
// Synopsis: Determines if the machine is in a Windows 2000 domain and
|
|
// if it is then the function attempts to get a TGT for this
|
|
// domain with the passed in credentials.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: LogonSession - the logon session to use for ticket caching
|
|
// and the identity of the caller.
|
|
// Credential - the credential of the caller
|
|
// TargetName - Name of the target for which to obtain a ticket.
|
|
// TargetDomainName - Domain name of target
|
|
// ClientRealm - the realm of the machine which the retry will use
|
|
// TicketGrantingTicket - Will be freed if non-NULL
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbMITGetMachineDomain(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN OUT PUNICODE_STRING TargetDomainName,
|
|
IN OUT PKERB_TICKET_CACHE_ENTRY *TicketGrantingTicket
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PLSAPR_POLICY_DNS_DOMAIN_INFO DnsDomainInfo = NULL;
|
|
PLSAPR_POLICY_INFORMATION Policy = NULL;
|
|
|
|
Status = I_LsaIQueryInformationPolicyTrusted(
|
|
PolicyDnsDomainInformation,
|
|
&Policy
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed Query policy information %ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
DnsDomainInfo = &Policy->PolicyDnsDomainInfo;
|
|
|
|
//
|
|
// make sure the computer is a member of an NT domain
|
|
//
|
|
|
|
if ((DnsDomainInfo->DnsDomainName.Length != 0) && (DnsDomainInfo->Sid != NULL))
|
|
{
|
|
//
|
|
// make the client realm the domain of the computer
|
|
//
|
|
|
|
KerbFreeString(TargetDomainName);
|
|
RtlZeroMemory(TargetDomainName, sizeof(UNICODE_STRING));
|
|
|
|
Status = KerbDuplicateString(
|
|
TargetDomainName,
|
|
(PUNICODE_STRING)&DnsDomainInfo->DnsDomainName
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
(VOID) RtlUpcaseUnicodeString( TargetDomainName,
|
|
TargetDomainName,
|
|
FALSE);
|
|
|
|
if (*TicketGrantingTicket != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(*TicketGrantingTicket);
|
|
*TicketGrantingTicket = NULL;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_NO_TRUST_SAM_ACCOUNT;
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
if (Policy != NULL)
|
|
{
|
|
I_LsaIFree_LSAPR_POLICY_INFORMATION(
|
|
PolicyDnsDomainInformation,
|
|
Policy
|
|
);
|
|
}
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbGetServiceTicket
|
|
//
|
|
// Synopsis: Gets a ticket to a service and handles cross-domain referrals
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: LogonSession - the logon session to use for ticket caching
|
|
// and the identity of the caller.
|
|
// TargetName - Name of the target for which to obtain a ticket.
|
|
// TargetDomainName - Domain name of target
|
|
// Flags - Flags about the request
|
|
// TicketOptions - KDC options flags
|
|
// EncryptionType - optional Requested encryption type
|
|
// ErrorMessage - Error message from an AP request containing hints
|
|
// for next ticket.
|
|
// AuthorizationData - Optional authorization data to stick
|
|
// in the ticket.
|
|
// TgtReply - TGT to use for getting a ticket with enc_tkt_in_skey
|
|
// TicketCacheEntry - Receives a referenced ticket cache entry.
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbGetServiceTicket(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN PUNICODE_STRING TargetDomainName,
|
|
IN OPTIONAL PKERB_SPN_CACHE_ENTRY SpnCacheEntry,
|
|
IN ULONG Flags,
|
|
IN OPTIONAL ULONG TicketOptions,
|
|
IN OPTIONAL ULONG EncryptionType,
|
|
IN OPTIONAL PKERB_ERROR ErrorMessage,
|
|
IN OPTIONAL PKERB_AUTHORIZATION_DATA AuthorizationData,
|
|
IN OPTIONAL PKERB_TGT_REPLY TgtReply,
|
|
OUT PKERB_TICKET_CACHE_ENTRY * NewCacheEntry,
|
|
OUT LPGUID pLogonGuid OPTIONAL
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
NTSTATUS AuditStatus = STATUS_SUCCESS;
|
|
PKERB_TICKET_CACHE_ENTRY TicketCacheEntry = NULL;
|
|
PKERB_TICKET_CACHE_ENTRY TicketGrantingTicket = NULL;
|
|
PKERB_TICKET_CACHE_ENTRY LastTgt = NULL;
|
|
PKERB_KDC_REPLY KdcReply = NULL;
|
|
PKERB_ENCRYPTED_KDC_REPLY KdcReplyBody = NULL;
|
|
BOOLEAN LogonSessionsLocked = FALSE;
|
|
BOOLEAN TicketCacheLocked = FALSE;
|
|
BOOLEAN CrossRealm = FALSE;
|
|
PKERB_INTERNAL_NAME RealTargetName = NULL;
|
|
UNICODE_STRING RealTargetRealm = NULL_UNICODE_STRING;
|
|
PKERB_INTERNAL_NAME TargetTgtKdcName = NULL;
|
|
PKERB_PRIMARY_CREDENTIAL PrimaryCredentials = NULL;
|
|
BOOLEAN UsedCredentials = FALSE;
|
|
UNICODE_STRING ClientRealm = NULL_UNICODE_STRING;
|
|
UNICODE_STRING SpnTargetRealm = NULL_UNICODE_STRING;
|
|
BOOLEAN CacheTicket = TRUE;
|
|
BOOLEAN PurgeTgt = FALSE;
|
|
ULONG ReferralCount = 0;
|
|
ULONG RetryFlags = 0;
|
|
KERBEROS_MACHINE_ROLE Role;
|
|
BOOLEAN fMITRetryAlreadyMade = FALSE;
|
|
BOOLEAN TgtRetryMade = FALSE;
|
|
BOOLEAN CacheBasedFailure = FALSE;
|
|
GUID LogonGuid = { 0 };
|
|
|
|
|
|
Role = KerbGetGlobalRole();
|
|
|
|
//
|
|
// Check to see if the credential has any primary credentials
|
|
//
|
|
TGTRetry:
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = TRUE;
|
|
|
|
if ((Credential != NULL) && (Credential->SuppliedCredentials != NULL))
|
|
{
|
|
PrimaryCredentials = Credential->SuppliedCredentials;
|
|
UsedCredentials = TRUE;
|
|
}
|
|
else if (CredManCredentials != NULL)
|
|
{
|
|
PrimaryCredentials = CredManCredentials->SuppliedCredentials;
|
|
UsedCredentials = TRUE;
|
|
}
|
|
else
|
|
{
|
|
|
|
PrimaryCredentials = &LogonSession->PrimaryCredentials;
|
|
}
|
|
|
|
|
|
//
|
|
// Make sure the name is not zero length
|
|
//
|
|
|
|
if ((TargetName->NameCount == 0) ||
|
|
(TargetName->Names[0].Length == 0))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Kdc GetServiceTicket: trying to crack zero length name.\n"));
|
|
Status = SEC_E_TARGET_UNKNOWN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// First check the ticket cache for this logon session. We don't look
|
|
// for the target principal name because we can't be assured that this
|
|
// is a valid principal name for the target. If we are doing user-to-
|
|
// user, don't use the cache because the tgt key may have changed
|
|
//
|
|
|
|
|
|
if ((TgtReply == NULL) && ((Flags & KERB_GET_TICKET_NO_CACHE) == 0))
|
|
{
|
|
TicketCacheEntry = KerbLocateTicketCacheEntry(
|
|
&PrimaryCredentials->ServerTicketCache,
|
|
TargetName,
|
|
TargetDomainName
|
|
);
|
|
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// We don't want to cache user-to-user tickets
|
|
//
|
|
|
|
CacheTicket = FALSE;
|
|
}
|
|
|
|
if (TicketCacheEntry != NULL)
|
|
{
|
|
//
|
|
// If we were given an error message that indicated a bad password
|
|
// through away the cached ticket
|
|
//
|
|
|
|
|
|
//
|
|
// If we were given an error message that indicated a bad password
|
|
// through away the cached ticket
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT(ErrorMessage) && ((KERBERR) ErrorMessage->error_code == KRB_AP_ERR_MODIFIED))
|
|
{
|
|
KerbRemoveTicketCacheEntry(TicketCacheEntry);
|
|
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
|
|
TicketCacheEntry = NULL;
|
|
}
|
|
else
|
|
{
|
|
|
|
ULONG TicketFlags;
|
|
ULONG CacheTicketFlags;
|
|
ULONG CacheEncryptionType;
|
|
|
|
|
|
//
|
|
// Check if the flags are present
|
|
//
|
|
|
|
KerbReadLockTicketCache();
|
|
CacheTicketFlags = TicketCacheEntry->TicketFlags;
|
|
CacheEncryptionType = TicketCacheEntry->Ticket.encrypted_part.encryption_type;
|
|
KerbUnlockTicketCache();
|
|
|
|
TicketFlags = KerbConvertKdcOptionsToTicketFlags(TicketOptions);
|
|
|
|
if (((CacheTicketFlags & TicketFlags) != TicketFlags) ||
|
|
((EncryptionType != 0) && (CacheEncryptionType != EncryptionType)))
|
|
|
|
{
|
|
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
|
|
TicketCacheEntry = NULL;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Check the ticket time
|
|
//
|
|
|
|
if (KerbTicketIsExpiring(TicketCacheEntry, TRUE))
|
|
{
|
|
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
|
|
TicketCacheEntry = NULL;
|
|
}
|
|
else
|
|
{
|
|
*NewCacheEntry = TicketCacheEntry;
|
|
TicketCacheEntry = NULL;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// If the caller wanted any special options, don't cache this ticket.
|
|
//
|
|
|
|
if ((TicketOptions != 0) || (EncryptionType != 0) || ((Flags & KERB_GET_TICKET_NO_CACHE) != 0))
|
|
{
|
|
CacheTicket = FALSE;
|
|
}
|
|
|
|
//
|
|
// No cached entry was found so go ahead and call the KDC to
|
|
// get the ticket.
|
|
//
|
|
|
|
|
|
//
|
|
// Determine the state of the SPNCache using information in the credential.
|
|
// Only do this if we've not been handed
|
|
//
|
|
if ( ARGUMENT_PRESENT(SpnCacheEntry) && TargetDomainName->Buffer == NULL )
|
|
{
|
|
Status = KerbGetSpnCacheStatus(
|
|
SpnCacheEntry,
|
|
PrimaryCredentials,
|
|
&SpnTargetRealm
|
|
);
|
|
|
|
if (NT_SUCCESS( Status ))
|
|
{
|
|
KerbFreeString(&RealTargetRealm);
|
|
RealTargetRealm = SpnTargetRealm;
|
|
RtlZeroMemory(&SpnTargetRealm, sizeof(UNICODE_STRING));
|
|
|
|
D_DebugLog((DEB_TRACE_SPN_CACHE, "Found SPN cache entry - %wZ\n", &RealTargetRealm));
|
|
D_KerbPrintKdcName(DEB_TRACE_SPN_CACHE, TargetName);
|
|
|
|
}
|
|
else if ( Status != STATUS_NO_MATCH )
|
|
{
|
|
D_DebugLog((DEB_TRACE_SPN_CACHE, "KerbGetSpnCacheStatus failed %x\n", Status));
|
|
D_DebugLog((DEB_TRACE_SPN_CACHE, "TargetName: \n"));
|
|
D_KerbPrintKdcName(DEB_TRACE_SPN_CACHE, TargetName);
|
|
CacheBasedFailure = TRUE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Status = STATUS_SUCCESS;
|
|
}
|
|
|
|
//
|
|
// First get a TGT to the correct KDC. If a principal name was provided,
|
|
// use it instead of the target name.
|
|
//
|
|
|
|
Status = KerbGetTgtForService(
|
|
LogonSession,
|
|
Credential,
|
|
CredManCredentials,
|
|
NULL,
|
|
(RealTargetRealm.Buffer == NULL ? TargetDomainName : &RealTargetRealm),
|
|
Flags,
|
|
&TicketGrantingTicket,
|
|
&CrossRealm
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR, "Failed to get TGT for service: 0x%x :",
|
|
Status ));
|
|
KerbPrintKdcName( DEB_ERROR, TargetName );
|
|
DebugLog((DEB_ERROR, "%ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Copy out the client realm name which is used when obtaining the ticket
|
|
//
|
|
|
|
Status = KerbDuplicateString(
|
|
&ClientRealm,
|
|
&PrimaryCredentials->DomainName
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = FALSE;
|
|
|
|
ReferralRestart:
|
|
|
|
|
|
D_DebugLog((DEB_TRACE, "KerbGetServiceTicket ReferralRestart, ClientRealm %wZ, TargetName ", &ClientRealm));
|
|
D_KerbPrintKdcName(DEB_TRACE, TargetName);
|
|
|
|
//
|
|
// If this is not cross realm (meaning we have a TGT to the corect domain),
|
|
// try to get a ticket directly to the service
|
|
//
|
|
|
|
if (!CrossRealm)
|
|
{
|
|
Status = KerbGetTgsTicket(
|
|
&ClientRealm,
|
|
TicketGrantingTicket,
|
|
TargetName,
|
|
Flags,
|
|
TicketOptions,
|
|
EncryptionType,
|
|
AuthorizationData,
|
|
NULL, // no pa data
|
|
TgtReply, // This is for the service directly, so use TGT
|
|
&KdcReply,
|
|
&KdcReplyBody,
|
|
&RetryFlags
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
|
|
//
|
|
// Check for bad option TGT purging
|
|
//
|
|
if (((RetryFlags & KERB_RETRY_WITH_NEW_TGT) != 0) && !TgtRetryMade)
|
|
{
|
|
DebugLog((DEB_WARN, "Doing TGT retry - %p\n", TicketGrantingTicket));
|
|
|
|
//
|
|
// Unlink && purge bad tgt
|
|
//
|
|
KerbRemoveTicketCacheEntry(TicketGrantingTicket);
|
|
KerbDereferenceTicketCacheEntry(TicketGrantingTicket);
|
|
TicketGrantingTicket = NULL;
|
|
TgtRetryMade = TRUE;
|
|
goto TGTRetry;
|
|
}
|
|
|
|
//
|
|
// Check for the MIT retry case
|
|
//
|
|
|
|
if (((RetryFlags & KERB_MIT_NO_CANONICALIZE_RETRY) != 0)
|
|
&& (!fMITRetryAlreadyMade) &&
|
|
(Role != KerbRoleRealmlessWksta))
|
|
{
|
|
|
|
Status = KerbMITGetMachineDomain(LogonSession,
|
|
TargetName,
|
|
TargetDomainName,
|
|
&TicketGrantingTicket
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed Query policy information %ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
fMITRetryAlreadyMade = TRUE;
|
|
|
|
goto TGTRetry;
|
|
}
|
|
|
|
DebugLog((DEB_WARN,"Failed to get TGS ticket for service 0x%x : \n",
|
|
Status ));
|
|
KerbPrintKdcName(DEB_WARN, TargetName );
|
|
DebugLog((DEB_WARN, "%ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check for referral info in the name
|
|
//
|
|
KerbFreeString(&RealTargetRealm);
|
|
Status = KerbGetReferralNames(
|
|
KdcReplyBody,
|
|
TargetName,
|
|
&RealTargetRealm
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If this is not a referral ticket, just cache it and return
|
|
// the cache entry.
|
|
//
|
|
|
|
if (RealTargetRealm.Length == 0)
|
|
{
|
|
|
|
//
|
|
// Now we have a ticket - lets cache it
|
|
//
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = TRUE;
|
|
|
|
|
|
Status = KerbCacheTicket(
|
|
&PrimaryCredentials->ServerTicketCache,
|
|
KdcReply,
|
|
KdcReplyBody,
|
|
TargetName,
|
|
TargetDomainName,
|
|
0,
|
|
CacheTicket,
|
|
&TicketCacheEntry
|
|
);
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = FALSE;
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
*NewCacheEntry = TicketCacheEntry;
|
|
TicketCacheEntry = NULL;
|
|
|
|
//
|
|
// We're done, so get out of here.
|
|
//
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// The server referred us to another domain. Get the service's full
|
|
// name from the ticket and try to find a TGT in that domain.
|
|
//
|
|
|
|
Status = KerbDuplicateKdcName(
|
|
&RealTargetName,
|
|
TargetName
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT, "Got referral ticket for service \n"));
|
|
D_KerbPrintKdcName(DEB_TRACE_CTXT,TargetName);
|
|
D_DebugLog((DEB_TRACE_CTXT, "in realm \n"));
|
|
D_KerbPrintKdcName(DEB_TRACE_CTXT,RealTargetName);
|
|
|
|
//
|
|
// Cache the interdomain TGT
|
|
//
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = TRUE;
|
|
|
|
Status = KerbCacheTicket(
|
|
&PrimaryCredentials->AuthenticationTicketCache,
|
|
KdcReply,
|
|
KdcReplyBody,
|
|
NULL, // no target name
|
|
NULL, // no target realm
|
|
0, // no flags
|
|
CacheTicket,
|
|
&TicketCacheEntry
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
|
|
TicketCacheEntry = NULL;
|
|
|
|
//
|
|
// Derefence the old ticket-granting ticket
|
|
//
|
|
|
|
KerbDereferenceTicketCacheEntry(TicketGrantingTicket);
|
|
TicketGrantingTicket = NULL;
|
|
|
|
//
|
|
// Now look for a TGT for the principal
|
|
//
|
|
|
|
Status = KerbGetTgtForService(
|
|
LogonSession,
|
|
Credential,
|
|
CredManCredentials,
|
|
NULL,
|
|
&RealTargetRealm,
|
|
KERB_TARGET_REFERRAL,
|
|
&TicketGrantingTicket,
|
|
&CrossRealm
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR, "Failed to get TGT for service: 0x%x\n",
|
|
Status ));
|
|
KerbPrintKdcName( DEB_ERROR, TargetName );
|
|
DebugLog((DEB_ERROR, "%ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = FALSE;
|
|
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Set the real names to equal the supplied names
|
|
//
|
|
|
|
Status = KerbDuplicateKdcName(
|
|
&RealTargetName,
|
|
TargetName
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Don't overwrite if we're doing a referral, or if we're missing
|
|
// a TGT for the target domain name.
|
|
//
|
|
if (RealTargetRealm.Buffer == NULL)
|
|
{
|
|
Status = KerbDuplicateString(
|
|
&RealTargetRealm,
|
|
TargetDomainName
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Now we are in a case where we have a realm to aim for and a TGT. While
|
|
// we don't have a TGT for the target realm, get one.
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbBuildFullServiceKdcName(
|
|
&RealTargetRealm,
|
|
&KerbGlobalKdcServiceName,
|
|
KRB_NT_SRV_INST,
|
|
&TargetTgtKdcName
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReadLockTicketCache();
|
|
TicketCacheLocked = TRUE;
|
|
|
|
|
|
//
|
|
// Referral chasing code block - very important to get right
|
|
// If we know the "real" target realm, eg. from GC, then
|
|
// we'll walk trusts until we hit "real" target realm.
|
|
//
|
|
while (!RtlEqualUnicodeString(
|
|
&RealTargetRealm,
|
|
&TicketGrantingTicket->TargetDomainName,
|
|
TRUE ))
|
|
{
|
|
|
|
//
|
|
// If we just got two TGTs for the same domain, then we must have
|
|
// gotten as far as we can. Chances our our RealTargetRealm is a
|
|
// variation of what the KDC hands out.
|
|
//
|
|
|
|
if ((LastTgt != NULL) &&
|
|
RtlEqualUnicodeString(
|
|
&LastTgt->TargetDomainName,
|
|
&TicketGrantingTicket->TargetDomainName,
|
|
TRUE ))
|
|
{
|
|
|
|
KerbUnlockTicketCache();
|
|
|
|
KerbSetTicketCacheEntryTarget(
|
|
&RealTargetRealm,
|
|
LastTgt
|
|
);
|
|
|
|
KerbReadLockTicketCache();
|
|
D_DebugLog((DEB_TRACE_CTXT, "Got two TGTs for same realm (%wZ), bailing out of referral loop\n",
|
|
&LastTgt->TargetDomainName));
|
|
break;
|
|
}
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT, "Getting referral TGT for \n"));
|
|
D_KerbPrintKdcName(DEB_TRACE_CTXT, TargetTgtKdcName);
|
|
D_KerbPrintKdcName(DEB_TRACE_CTXT, TicketGrantingTicket->ServiceName);
|
|
|
|
KerbUnlockTicketCache();
|
|
TicketCacheLocked = FALSE;
|
|
|
|
//
|
|
// Cleanup old state
|
|
//
|
|
|
|
KerbFreeTgsReply(KdcReply);
|
|
KerbFreeKdcReplyBody(KdcReplyBody);
|
|
KdcReply = NULL;
|
|
KdcReplyBody = NULL;
|
|
|
|
|
|
Status = KerbGetTgsTicket(
|
|
&ClientRealm,
|
|
TicketGrantingTicket,
|
|
TargetTgtKdcName,
|
|
FALSE,
|
|
TicketOptions,
|
|
EncryptionType,
|
|
AuthorizationData,
|
|
NULL, // no pa data
|
|
NULL, // no tgt reply since target is krbtgt
|
|
&KdcReply,
|
|
&KdcReplyBody,
|
|
&RetryFlags
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN,"Failed to get TGS ticket for service 0x%x :",
|
|
Status ));
|
|
KerbPrintKdcName(DEB_WARN, TargetTgtKdcName );
|
|
DebugLog((DEB_WARN, "%ws, line %d\n", THIS_FILE, __LINE__));
|
|
|
|
//
|
|
// We want to map cross-domain failures to failures indicating
|
|
// that a KDC could not be found. This means that for Kerberos
|
|
// logons, the negotiate code will retry with a different package
|
|
//
|
|
|
|
// if (Status == STATUS_NO_TRUST_SAM_ACCOUNT)
|
|
// {
|
|
// Status = STATUS_NO_LOGON_SERVERS;
|
|
// }
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now we have a ticket - lets cache it
|
|
//
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = TRUE;
|
|
|
|
|
|
Status = KerbCacheTicket(
|
|
&PrimaryCredentials->AuthenticationTicketCache,
|
|
KdcReply,
|
|
KdcReplyBody,
|
|
NULL, // no target name
|
|
NULL, // no targe realm
|
|
0, // no flags
|
|
CacheTicket,
|
|
&TicketCacheEntry
|
|
);
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = FALSE;
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (LastTgt != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(LastTgt);
|
|
LastTgt = NULL;
|
|
}
|
|
LastTgt = TicketGrantingTicket;
|
|
TicketGrantingTicket = TicketCacheEntry;
|
|
TicketCacheEntry = NULL;
|
|
|
|
KerbReadLockTicketCache();
|
|
TicketCacheLocked = TRUE;
|
|
|
|
|
|
} // ** WHILE **
|
|
|
|
DsysAssert(TicketCacheLocked);
|
|
KerbUnlockTicketCache();
|
|
TicketCacheLocked = FALSE;
|
|
|
|
//
|
|
// Now we must have a TGT to the destination domain. Get a ticket
|
|
// to the service.
|
|
//
|
|
|
|
//
|
|
// Cleanup old state
|
|
//
|
|
|
|
KerbFreeTgsReply(KdcReply);
|
|
KerbFreeKdcReplyBody(KdcReplyBody);
|
|
KdcReply = NULL;
|
|
KdcReplyBody = NULL;
|
|
RetryFlags = 0;
|
|
|
|
Status = KerbGetTgsTicket(
|
|
&ClientRealm,
|
|
TicketGrantingTicket,
|
|
RealTargetName,
|
|
FALSE,
|
|
TicketOptions,
|
|
EncryptionType,
|
|
AuthorizationData,
|
|
NULL, // no pa data
|
|
TgtReply,
|
|
&KdcReply,
|
|
&KdcReplyBody,
|
|
&RetryFlags
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
//
|
|
// Check for bad option TGT purging
|
|
//
|
|
if (((RetryFlags & KERB_RETRY_WITH_NEW_TGT) != 0) && !TgtRetryMade)
|
|
{
|
|
DebugLog((DEB_WARN, "Doing TGT retry - %p\n", TicketGrantingTicket));
|
|
|
|
//
|
|
// Unlink && purge bad tgt
|
|
//
|
|
KerbRemoveTicketCacheEntry(TicketGrantingTicket); // free from list
|
|
KerbDereferenceTicketCacheEntry(TicketGrantingTicket);
|
|
TicketGrantingTicket = NULL;
|
|
TgtRetryMade = TRUE;
|
|
goto TGTRetry;
|
|
}
|
|
|
|
DebugLog((DEB_WARN,"Failed to get TGS ticket for service 0x%x ",
|
|
Status ));
|
|
KerbPrintKdcName(DEB_WARN, RealTargetName);
|
|
DebugLog((DEB_WARN, "%ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now that we are in the domain to which we were referred, check for referral
|
|
// info in the name
|
|
//
|
|
|
|
KerbFreeString(&RealTargetRealm);
|
|
Status = KerbGetReferralNames(
|
|
KdcReplyBody,
|
|
RealTargetName,
|
|
&RealTargetRealm
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If this is not a referral ticket, just cache it and return
|
|
// the cache entry.
|
|
//
|
|
if (RealTargetRealm.Length != 0)
|
|
{
|
|
//
|
|
// To prevent loops, we limit the number of referral we'll take
|
|
//
|
|
|
|
|
|
if (ReferralCount > KerbGlobalMaxReferralCount)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Maximum referral count exceeded for name: "));
|
|
KerbPrintKdcName(DEB_ERROR,RealTargetName);
|
|
Status = STATUS_MAX_REFERRALS_EXCEEDED;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ReferralCount++;
|
|
|
|
//
|
|
// Cache the interdomain TGT
|
|
//
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = TRUE;
|
|
|
|
|
|
Status = KerbCacheTicket(
|
|
&PrimaryCredentials->AuthenticationTicketCache,
|
|
KdcReply,
|
|
KdcReplyBody,
|
|
NULL, // no target name
|
|
NULL, // no target realm
|
|
0, // no flags
|
|
CacheTicket,
|
|
&TicketCacheEntry
|
|
);
|
|
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = FALSE;
|
|
|
|
//
|
|
// Cleanup old state
|
|
//
|
|
|
|
KerbFreeTgsReply(KdcReply);
|
|
KerbFreeKdcReplyBody(KdcReplyBody);
|
|
KdcReply = NULL;
|
|
KdcReplyBody = NULL;
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (LastTgt != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(LastTgt);
|
|
LastTgt = NULL;
|
|
}
|
|
|
|
LastTgt = TicketGrantingTicket;
|
|
TicketGrantingTicket = TicketCacheEntry;
|
|
TicketCacheEntry = NULL;
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT, "Restart referral:%wZ", &RealTargetRealm));
|
|
|
|
goto ReferralRestart;
|
|
}
|
|
|
|
|
|
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = TRUE;
|
|
|
|
Status = KerbCacheTicket(
|
|
&PrimaryCredentials->ServerTicketCache,
|
|
KdcReply,
|
|
KdcReplyBody,
|
|
TargetName,
|
|
TargetDomainName,
|
|
TgtReply ? KERB_TICKET_CACHE_TKT_ENC_IN_SKEY : 0,
|
|
CacheTicket,
|
|
&TicketCacheEntry
|
|
);
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
LogonSessionsLocked = FALSE;
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
*NewCacheEntry = TicketCacheEntry;
|
|
TicketCacheEntry = NULL;
|
|
|
|
Cleanup:
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
//
|
|
// Generate the logon GUID
|
|
//
|
|
AuditStatus = KerbGetLogonGuid(
|
|
PrimaryCredentials,
|
|
KdcReplyBody,
|
|
&LogonGuid
|
|
);
|
|
|
|
//
|
|
// return the logon GUID if requested
|
|
//
|
|
if ( NT_SUCCESS(AuditStatus) && pLogonGuid )
|
|
{
|
|
*pLogonGuid = LogonGuid;
|
|
}
|
|
|
|
//
|
|
// generate SE_AUDITID_LOGON_USING_EXPLICIT_CREDENTIALS
|
|
// if explicit credentials were used for this logon.
|
|
//
|
|
if ( UsedCredentials )
|
|
{
|
|
(void) KerbGenerateAuditForLogonUsingExplicitCreds(
|
|
LogonSession,
|
|
PrimaryCredentials,
|
|
&LogonGuid
|
|
);
|
|
}
|
|
}
|
|
|
|
//
|
|
// Bad or unlocatable SPN -- Don't update if we got the value from the cache, though.
|
|
//
|
|
if (( TargetName->NameType == KRB_NT_SRV_INST ) &&
|
|
( NT_SUCCESS(Status) || Status == STATUS_NO_TRUST_SAM_ACCOUNT ) &&
|
|
( !CacheBasedFailure ))
|
|
{
|
|
NTSTATUS Tmp;
|
|
ULONG UpdateValue = KERB_SPN_UNKNOWN;
|
|
PUNICODE_STRING Realm = NULL;
|
|
|
|
if ( NT_SUCCESS( Status ))
|
|
{
|
|
Realm = &(*NewCacheEntry)->TargetDomainName;
|
|
UpdateValue = KERB_SPN_KNOWN;
|
|
}
|
|
|
|
Tmp = KerbUpdateSpnCacheEntry(
|
|
SpnCacheEntry,
|
|
TargetName,
|
|
PrimaryCredentials,
|
|
UpdateValue,
|
|
Realm
|
|
);
|
|
}
|
|
|
|
KerbFreeTgsReply( KdcReply );
|
|
KerbFreeKdcReplyBody( KdcReplyBody );
|
|
KerbFreeKdcName( &TargetTgtKdcName );
|
|
KerbFreeString( &RealTargetRealm );
|
|
KerbFreeString( &SpnTargetRealm );
|
|
|
|
KerbFreeKdcName(&RealTargetName);
|
|
|
|
if (TicketCacheLocked)
|
|
{
|
|
KerbUnlockTicketCache();
|
|
}
|
|
|
|
if (LogonSessionsLocked)
|
|
{
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
}
|
|
|
|
KerbFreeString(&RealTargetRealm);
|
|
|
|
|
|
if (TicketGrantingTicket != NULL)
|
|
{
|
|
if (Status == STATUS_WRONG_PASSWORD)
|
|
{
|
|
KerbRemoveTicketCacheEntry(
|
|
TicketGrantingTicket
|
|
);
|
|
}
|
|
KerbDereferenceTicketCacheEntry(TicketGrantingTicket);
|
|
}
|
|
if (LastTgt != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(LastTgt);
|
|
LastTgt = NULL;
|
|
}
|
|
|
|
|
|
KerbFreeString(&ClientRealm);
|
|
|
|
//
|
|
// If we still have a pointer to the ticket cache entry, free it now.
|
|
//
|
|
|
|
if (TicketCacheEntry != NULL)
|
|
{
|
|
KerbRemoveTicketCacheEntry( TicketCacheEntry );
|
|
KerbDereferenceTicketCacheEntry(TicketCacheEntry);
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbRenewTicket
|
|
//
|
|
// Synopsis: renews a ticket
|
|
//
|
|
// Effects: Tries to renew a ticket
|
|
//
|
|
// Arguments: LogonSession - LogonSession for user, contains ticket caches
|
|
// and locks
|
|
// Credentials - Present if the ticket being renewed is hanging
|
|
// off a credential structure.
|
|
// Ticket - Ticket to renew
|
|
// NewTicket - Receives the renewed ticket
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbRenewTicket(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN OPTIONAL PKERB_CREDENTIAL Credentials,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN PKERB_TICKET_CACHE_ENTRY Ticket,
|
|
IN BOOLEAN IsTgt,
|
|
OUT PKERB_TICKET_CACHE_ENTRY *NewTicket
|
|
)
|
|
{
|
|
NTSTATUS Status;
|
|
PKERB_INTERNAL_NAME ServiceName = NULL;
|
|
PKERB_KDC_REPLY KdcReply = NULL;
|
|
PKERB_ENCRYPTED_KDC_REPLY KdcReplyBody = NULL;
|
|
UNICODE_STRING ServiceRealm = NULL_UNICODE_STRING;
|
|
BOOLEAN TicketCacheLocked = FALSE;
|
|
PKERB_PRIMARY_CREDENTIAL PrimaryCreds;
|
|
ULONG CacheFlags = 0;
|
|
ULONG RetryFlags = 0;
|
|
|
|
|
|
*NewTicket = NULL;
|
|
|
|
//
|
|
// Copy the names out of the input structures so we can
|
|
// unlock the structures while going over the network.
|
|
//
|
|
|
|
KerbReadLockTicketCache();
|
|
TicketCacheLocked = TRUE;
|
|
|
|
//
|
|
// If the renew time is not much bigger than the end time, don't bother
|
|
// renewing
|
|
//
|
|
|
|
if (KerbGetTime(Ticket->EndTime) + KerbGetTime(KerbGlobalSkewTime) >= KerbGetTime(Ticket->RenewUntil))
|
|
{
|
|
Status = STATUS_UNSUCCESSFUL;
|
|
goto Cleanup;
|
|
}
|
|
CacheFlags = Ticket->CacheFlags;
|
|
|
|
Status = KerbDuplicateString(
|
|
&ServiceRealm,
|
|
&Ticket->DomainName
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
Status = KerbDuplicateKdcName(
|
|
&ServiceName,
|
|
Ticket->ServiceName
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if ((Ticket->TicketFlags & KERB_TICKET_FLAGS_renewable) == 0)
|
|
{
|
|
Status = STATUS_ILLEGAL_FUNCTION;
|
|
D_DebugLog((DEB_ERROR,"Trying to renew a non renewable ticket to"));
|
|
D_KerbPrintKdcName(DEB_ERROR,ServiceName);
|
|
D_DebugLog((DEB_ERROR, "%ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbUnlockTicketCache();
|
|
TicketCacheLocked = FALSE;
|
|
|
|
|
|
Status = KerbGetTgsTicket(
|
|
&ServiceRealm,
|
|
Ticket,
|
|
ServiceName,
|
|
FALSE,
|
|
KERB_KDC_OPTIONS_renew,
|
|
0, // no encryption type
|
|
NULL, // no authorization data
|
|
NULL, // no pa data
|
|
NULL, // no tgt reply
|
|
&KdcReply,
|
|
&KdcReplyBody,
|
|
&RetryFlags
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN,"Failed to get TGS ticket for service 0x%x ",
|
|
Status ));
|
|
KerbPrintKdcName(DEB_WARN, ServiceName);
|
|
DebugLog((DEB_WARN, "%ws, line %d\n", THIS_FILE, __LINE__));
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
|
|
if ((Credentials != NULL) && (Credentials->SuppliedCredentials != NULL))
|
|
{
|
|
PrimaryCreds = Credentials->SuppliedCredentials;
|
|
}
|
|
else if (CredManCredentials != NULL)
|
|
{
|
|
PrimaryCreds = CredManCredentials->SuppliedCredentials;
|
|
}
|
|
else
|
|
{
|
|
PrimaryCreds = &LogonSession->PrimaryCredentials;
|
|
}
|
|
|
|
|
|
Status = KerbCacheTicket(
|
|
(IsTgt ? &PrimaryCreds->AuthenticationTicketCache :
|
|
&PrimaryCreds->ServerTicketCache),
|
|
KdcReply,
|
|
KdcReplyBody,
|
|
ServiceName,
|
|
&ServiceRealm,
|
|
CacheFlags,
|
|
TRUE,
|
|
NewTicket
|
|
);
|
|
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
Cleanup:
|
|
if (TicketCacheLocked)
|
|
{
|
|
KerbUnlockTicketCache();
|
|
}
|
|
|
|
KerbFreeTgsReply(KdcReply);
|
|
KerbFreeKdcReplyBody(KdcReplyBody);
|
|
KerbFreeKdcName(&ServiceName);
|
|
KerbFreeString(&ServiceRealm);
|
|
return(Status);
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbRefreshPrimaryTgt
|
|
//
|
|
// Synopsis: Obtains a new TGT for a logon session or credential
|
|
//
|
|
//
|
|
// Effects: does a new AS exchange with the KDC to get a TGT for the client
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbRefreshPrimaryTgt(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN OPTIONAL PKERB_CREDENTIAL Credentials,
|
|
IN OPTIONAL PKERB_CREDMAN_CRED CredManCredentials,
|
|
IN OPTIONAL PUNICODE_STRING SuppRealm,
|
|
IN OPTIONAL PKERB_TICKET_CACHE_ENTRY OldTgt
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_UNSUCCESSFUL;
|
|
|
|
if (ARGUMENT_PRESENT(OldTgt))
|
|
{
|
|
PKERB_TICKET_CACHE_ENTRY NewTgt = NULL;
|
|
|
|
DebugLog((DEB_WARN,"Attempting to renew primary TGT \n"));
|
|
Status = KerbRenewTicket(
|
|
LogonSession,
|
|
Credentials,
|
|
CredManCredentials,
|
|
OldTgt,
|
|
TRUE, // it is a TGT
|
|
&NewTgt
|
|
);
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
KerbDereferenceTicketCacheEntry(NewTgt);
|
|
}
|
|
else
|
|
{
|
|
DebugLog((DEB_WARN,"Failed to renew primary tgt: 0x%x\n",Status));
|
|
}
|
|
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN,"Getting new TGT for account\n"));
|
|
Status = KerbGetTicketForCredential(
|
|
LogonSession,
|
|
Credentials,
|
|
CredManCredentials,
|
|
SuppRealm
|
|
);
|
|
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbVerifyApRequest
|
|
//
|
|
// Synopsis: Verifies that an AP request message is valid
|
|
//
|
|
// Effects: decrypts ticket in AP request
|
|
//
|
|
// Arguments: RequestMessage - Marshalled AP request message
|
|
// RequestSize - Size in bytes of request message
|
|
// LogonSession - Logon session for server
|
|
// Credential - Credential for server containing
|
|
// supplied credentials
|
|
// UseSuppliedCreds - If TRUE, use creds from credential
|
|
// ApRequest - Receives unmarshalled AP request
|
|
// NewTicket - Receives ticket from AP request
|
|
// NewAuthenticator - receives new authenticator from AP request
|
|
// SessionKey -receives the session key from the ticket
|
|
// ContextFlags - receives the requested flags for the
|
|
// context.
|
|
// pChannelBindings - pChannelBindings supplied by app to check
|
|
// against hashed ones in AP_REQ
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
KerbVerifyApRequest(
|
|
IN OPTIONAL PKERB_CONTEXT Context,
|
|
IN PUCHAR RequestMessage,
|
|
IN ULONG RequestSize,
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN BOOLEAN UseSuppliedCreds,
|
|
IN BOOLEAN CheckForReplay,
|
|
OUT PKERB_AP_REQUEST * ApRequest,
|
|
OUT PKERB_ENCRYPTED_TICKET * NewTicket,
|
|
OUT PKERB_AUTHENTICATOR * NewAuthenticator,
|
|
OUT PKERB_ENCRYPTION_KEY SessionKey,
|
|
OUT PKERB_ENCRYPTION_KEY TicketKey,
|
|
OUT PKERB_ENCRYPTION_KEY ServerKey,
|
|
OUT PULONG ContextFlags,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PKERBERR ReturnKerbErr,
|
|
IN PSEC_CHANNEL_BINDINGS pChannelBindings
|
|
)
|
|
{
|
|
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PKERB_AP_REQUEST Request = NULL;
|
|
UNICODE_STRING ServerName[3] = {0};
|
|
ULONG NameCount = 0;
|
|
BOOLEAN UseSubKey = FALSE;
|
|
BOOLEAN LockAcquired = FALSE;
|
|
PKERB_GSS_CHECKSUM GssChecksum;
|
|
PKERB_ENCRYPTION_KEY LocalServerKey;
|
|
BOOLEAN TryOldPassword = TRUE;
|
|
BOOLEAN TicketCacheLocked = FALSE;
|
|
PKERB_STORED_CREDENTIAL PasswordList;
|
|
PKERB_PRIMARY_CREDENTIAL PrimaryCredentials;
|
|
ULONG StrippedRequestSize = RequestSize;
|
|
PUCHAR StrippedRequest = RequestMessage;
|
|
PKERB_TICKET_CACHE_ENTRY CacheEntry = NULL;
|
|
ULONG ApOptions = 0;
|
|
BOOLEAN StrongEncryptionPermitted = KerbGlobalStrongEncryptionPermitted;
|
|
ULONG BindHash[4];
|
|
|
|
*ApRequest = NULL;
|
|
*ContextFlags = 0;
|
|
*NewTicket = NULL;
|
|
*NewAuthenticator = NULL;
|
|
*ReturnKerbErr = KDC_ERR_NONE;
|
|
|
|
RtlZeroMemory(
|
|
SessionKey,
|
|
sizeof(KERB_ENCRYPTION_KEY)
|
|
);
|
|
*TicketKey = *SessionKey;
|
|
*ServerKey = *SessionKey;
|
|
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
{
|
|
SECPKG_CALL_INFO CallInfo;
|
|
|
|
if (!StrongEncryptionPermitted && LsaFunctions->GetCallInfo(&CallInfo))
|
|
{
|
|
if (CallInfo.Attributes & SECPKG_CALL_IN_PROC )
|
|
{
|
|
StrongEncryptionPermitted = TRUE;
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// First unpack the KDC request.
|
|
//
|
|
|
|
//
|
|
// Verify the GSSAPI header
|
|
//
|
|
|
|
if (!g_verify_token_header(
|
|
(gss_OID) gss_mech_krb5_new,
|
|
(INT *) &StrippedRequestSize,
|
|
&StrippedRequest,
|
|
KG_TOK_CTX_AP_REQ,
|
|
RequestSize
|
|
))
|
|
{
|
|
|
|
StrippedRequestSize = RequestSize;
|
|
StrippedRequest = RequestMessage;
|
|
|
|
//
|
|
// Check if this is user-to-user kerberos
|
|
//
|
|
|
|
|
|
if (g_verify_token_header(
|
|
gss_mech_krb5_u2u,
|
|
(INT *) &StrippedRequestSize,
|
|
&StrippedRequest,
|
|
KG_TOK_CTX_TGT_REQ,
|
|
RequestSize))
|
|
{
|
|
//
|
|
// Return now because there is no AP request. Return a distinct
|
|
// success code so the caller knows to reparse the request as
|
|
// a TGT request.
|
|
//
|
|
|
|
D_DebugLog((DEB_TRACE_U2U, "KerbVerifyApRequest got TGT reqest\n"));
|
|
|
|
return(STATUS_REPARSE_OBJECT);
|
|
}
|
|
else
|
|
{
|
|
StrippedRequestSize = RequestSize;
|
|
StrippedRequest = RequestMessage;
|
|
|
|
if (!g_verify_token_header( // check for a user-to-user AP request
|
|
gss_mech_krb5_u2u,
|
|
(INT *) &StrippedRequestSize,
|
|
&StrippedRequest,
|
|
KG_TOK_CTX_AP_REQ,
|
|
RequestSize))
|
|
{
|
|
//
|
|
// BUG 454895: remove when not needed for compatibility
|
|
//
|
|
|
|
//
|
|
// if that didn't work, just use the token as it is.
|
|
//
|
|
StrippedRequest = RequestMessage;
|
|
StrippedRequestSize = RequestSize;
|
|
D_DebugLog((DEB_WARN,"Didn't find GSS header on AP request\n"));
|
|
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
KerbErr = KerbUnpackApRequest(
|
|
StrippedRequest,
|
|
StrippedRequestSize,
|
|
&Request
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to unpack AP request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Check for a null session
|
|
//
|
|
|
|
if ((Request->version == KERBEROS_VERSION) &&
|
|
(Request->message_type == KRB_AP_REQ) &&
|
|
(Request->ticket.encrypted_part.cipher_text.length == 1) &&
|
|
(*Request->ticket.encrypted_part.cipher_text.value == '\0') &&
|
|
(Request->authenticator.cipher_text.length == 1) &&
|
|
(*Request->authenticator.cipher_text.value == '\0'))
|
|
{
|
|
//
|
|
// We have a null session. Not much to do here.
|
|
//
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
RtlZeroMemory(
|
|
SessionKey,
|
|
sizeof(KERB_ENCRYPTION_KEY)
|
|
);
|
|
*ContextFlags |= ISC_RET_NULL_SESSION;
|
|
goto Cleanup;
|
|
|
|
}
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
|
|
if ( UseSuppliedCreds )
|
|
{
|
|
PrimaryCredentials = Credential->SuppliedCredentials;
|
|
}
|
|
else
|
|
{
|
|
PrimaryCredentials = &LogonSession->PrimaryCredentials;
|
|
}
|
|
LockAcquired = TRUE;
|
|
|
|
//
|
|
// Check for existence of a password and use_session_key
|
|
//
|
|
|
|
|
|
ApOptions = KerbConvertFlagsToUlong( &Request->ap_options);
|
|
|
|
D_DebugLog((DEB_TRACE,"Request AP options = 0x%x\n",ApOptions));
|
|
|
|
if ((ApOptions & KERB_AP_OPTIONS_use_session_key) == 0)
|
|
{
|
|
if (PrimaryCredentials->Passwords == NULL)
|
|
{
|
|
D_DebugLog((DEB_TRACE_U2U, "KerbVerifyApRequest no password and use_session_key is not requested, returning KRB_AP_ERR_USER_TO_USER_REQUIRED\n"));
|
|
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
*ReturnKerbErr = KRB_AP_ERR_USER_TO_USER_REQUIRED;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
if (!KERB_SUCCESS(KerbBuildFullServiceName(
|
|
&PrimaryCredentials->DomainName,
|
|
&PrimaryCredentials->UserName,
|
|
&ServerName[NameCount++]
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ServerName[NameCount++] = PrimaryCredentials->UserName;
|
|
|
|
if (Credential->CredentialName.Length != 0)
|
|
{
|
|
ServerName[NameCount++] = Credential->CredentialName;
|
|
}
|
|
|
|
//
|
|
// Get ticket info for the server
|
|
//
|
|
|
|
//
|
|
// Now Check the ticket
|
|
//
|
|
|
|
PasswordList = PrimaryCredentials->Passwords;
|
|
|
|
Retry:
|
|
//
|
|
// If this is use_session key, get the key from the tgt
|
|
//
|
|
|
|
if ((ApOptions & KERB_AP_OPTIONS_use_session_key) != 0)
|
|
{
|
|
TryOldPassword = FALSE;
|
|
|
|
D_DebugLog((DEB_TRACE_U2U, "KerbVerifyApRequest verifying ticket with TGT session key\n"));
|
|
|
|
*ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
|
|
|
|
//
|
|
// If we have a context, try to get the TGT from it.
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT(Context))
|
|
{
|
|
KerbReadLockContexts();
|
|
CacheEntry = Context->TicketCacheEntry;
|
|
KerbUnlockContexts();
|
|
}
|
|
|
|
//
|
|
// If there is no TGT in the context, try getting one from the
|
|
// logon session.
|
|
//
|
|
|
|
if (CacheEntry == NULL)
|
|
{
|
|
//
|
|
// Locate the TGT for the principal
|
|
//
|
|
|
|
CacheEntry = KerbLocateTicketCacheEntryByRealm(
|
|
&PrimaryCredentials->AuthenticationTicketCache,
|
|
&PrimaryCredentials->DomainName, // get initial ticket
|
|
0
|
|
);
|
|
}
|
|
else
|
|
{
|
|
KerbReferenceTicketCacheEntry(
|
|
CacheEntry
|
|
);
|
|
}
|
|
if (CacheEntry == NULL)
|
|
{
|
|
D_DebugLog((DEB_WARN, "Tried to request TGT on credential without a TGT\n"));
|
|
*ReturnKerbErr = KRB_AP_ERR_NO_TGT;
|
|
Status = SEC_E_NO_CREDENTIALS;
|
|
goto Cleanup;
|
|
|
|
}
|
|
KerbReadLockTicketCache();
|
|
TicketCacheLocked = TRUE;
|
|
LocalServerKey = &CacheEntry->SessionKey;
|
|
|
|
}
|
|
else
|
|
{
|
|
LocalServerKey = KerbGetKeyFromList(
|
|
PasswordList,
|
|
Request->ticket.encrypted_part.encryption_type
|
|
);
|
|
|
|
if (LocalServerKey == NULL)
|
|
{
|
|
D_DebugLog((DEB_ERROR, "Couldn't find server key of type 0x%x. %ws, line %d\n",
|
|
Request->ticket.encrypted_part.encryption_type, THIS_FILE, __LINE__ ));
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
KerbErr = KerbCheckTicket(
|
|
&Request->ticket,
|
|
&Request->authenticator,
|
|
LocalServerKey,
|
|
Authenticators,
|
|
&KerbGlobalSkewTime,
|
|
NameCount,
|
|
ServerName,
|
|
&PrimaryCredentials->DomainName,
|
|
CheckForReplay,
|
|
FALSE, // not a KDC request
|
|
NewTicket,
|
|
NewAuthenticator,
|
|
TicketKey,
|
|
SessionKey,
|
|
&UseSubKey
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
//
|
|
// Return this error, since it is an authentication failure.
|
|
//
|
|
|
|
*ReturnKerbErr = KerbErr;
|
|
|
|
DebugLog((DEB_ERROR,"Failed to check ticket: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
|
|
//
|
|
// If the error is that it was modified, try again with the old
|
|
// password.
|
|
//
|
|
|
|
if ((KerbErr == KRB_AP_ERR_MODIFIED) &&
|
|
TryOldPassword
|
|
&&
|
|
(PrimaryCredentials->OldPasswords != NULL))
|
|
{
|
|
PasswordList = PrimaryCredentials->OldPasswords;
|
|
TryOldPassword = FALSE;
|
|
goto Retry;
|
|
}
|
|
|
|
//
|
|
// If the error was a clock skew error but the caller didn't ask
|
|
// for mutual auth, then don't bother returning a Kerberos error.
|
|
//
|
|
|
|
Status = KerbMapKerbError(KerbErr);
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Copy the key that was used.
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbDuplicateKey(
|
|
ServerKey,
|
|
LocalServerKey)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Get the context flags out of the authenticator and the AP request
|
|
//
|
|
|
|
if ((((*NewAuthenticator)->bit_mask & checksum_present) != 0) &&
|
|
((*NewAuthenticator)->checksum.checksum_type == GSS_CHECKSUM_TYPE) &&
|
|
((*NewAuthenticator)->checksum.checksum.length >= GSS_CHECKSUM_SIZE))
|
|
{
|
|
GssChecksum = (PKERB_GSS_CHECKSUM) (*NewAuthenticator)->checksum.checksum.value;
|
|
|
|
if (GssChecksum->GssFlags & GSS_C_MUTUAL_FLAG)
|
|
{
|
|
//
|
|
// Make sure this is also present in the AP request
|
|
//
|
|
|
|
if ((ApOptions & KERB_AP_OPTIONS_mutual_required) == 0)
|
|
{
|
|
DebugLog((DEB_ERROR,"Sent AP_mutual_req but not GSS_C_MUTUAL_FLAG. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_DCE_STYLE)
|
|
{
|
|
*ContextFlags |= ISC_RET_USED_DCE_STYLE;
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_REPLAY_FLAG)
|
|
{
|
|
*ContextFlags |= ISC_RET_REPLAY_DETECT;
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_SEQUENCE_FLAG)
|
|
{
|
|
*ContextFlags |= ISC_RET_SEQUENCE_DETECT;
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_CONF_FLAG)
|
|
{
|
|
*ContextFlags |= (ISC_RET_CONFIDENTIALITY |
|
|
ISC_RET_INTEGRITY |
|
|
ISC_RET_SEQUENCE_DETECT |
|
|
ISC_RET_REPLAY_DETECT );
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_INTEG_FLAG)
|
|
{
|
|
*ContextFlags |= ISC_RET_INTEGRITY;
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_IDENTIFY_FLAG)
|
|
{
|
|
*ContextFlags |= ISC_RET_IDENTIFY;
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_DELEG_FLAG)
|
|
{
|
|
*ContextFlags |= ISC_RET_DELEGATE;
|
|
}
|
|
if (GssChecksum->GssFlags & GSS_C_EXTENDED_ERROR_FLAG)
|
|
{
|
|
*ContextFlags |= ISC_RET_EXTENDED_ERROR;
|
|
}
|
|
|
|
if( pChannelBindings != NULL )
|
|
{
|
|
Status = KerbComputeGssBindHash( pChannelBindings, (PUCHAR)BindHash );
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
if( RtlCompareMemory( BindHash,
|
|
GssChecksum->BindHash,
|
|
GssChecksum->BindLength )
|
|
!= GssChecksum->BindLength )
|
|
{
|
|
Status = STATUS_BAD_BINDINGS;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ((ApOptions & KERB_AP_OPTIONS_use_session_key) != 0)
|
|
{
|
|
*ContextFlags |= ISC_RET_USE_SESSION_KEY;
|
|
}
|
|
|
|
if ((ApOptions & KERB_AP_OPTIONS_mutual_required) != 0)
|
|
{
|
|
*ContextFlags |= ISC_RET_MUTUAL_AUTH;
|
|
}
|
|
else if ((*ContextFlags & ISC_RET_USED_DCE_STYLE) == 0)
|
|
{
|
|
//
|
|
// Make sure we can support the encryption type the client is using.
|
|
// This is only relevant if they are trying to do encryption
|
|
//
|
|
|
|
if (!StrongEncryptionPermitted &&
|
|
!KerbIsKeyExportable(
|
|
SessionKey
|
|
) &&
|
|
(((*ContextFlags) & ISC_RET_CONFIDENTIALITY) != 0))
|
|
{
|
|
DebugLog((DEB_ERROR,"Client is trying to strong encryption but we can't support it. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_STRONG_CRYPTO_NOT_SUPPORTED;
|
|
}
|
|
}
|
|
|
|
*ApRequest = Request;
|
|
Request = NULL;
|
|
|
|
Cleanup:
|
|
|
|
if (TicketCacheLocked)
|
|
{
|
|
KerbUnlockTicketCache();
|
|
}
|
|
|
|
if (CacheEntry)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(CacheEntry);
|
|
}
|
|
|
|
if (LockAcquired)
|
|
{
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
}
|
|
|
|
//
|
|
// If the caller didn't ask for mutual-auth, then don't bother
|
|
// returning a KerbErr for an error that probably can't be fixed
|
|
// anyways.
|
|
//
|
|
|
|
if ((Request != NULL)
|
|
/* && (*ReturnKerbErr == KRB_AP_ERR_MODIFIED) */ )
|
|
{
|
|
|
|
//
|
|
// If the client didn't want mutual-auth, then it won't be expecting
|
|
// a response message so don't bother with the kerb error. By setting
|
|
// KerbErr to NULL we won't send a message back to the client.
|
|
//
|
|
|
|
if ((ApOptions & KERB_AP_OPTIONS_mutual_required) == 0)
|
|
{
|
|
*ReturnKerbErr = KDC_ERR_NONE;
|
|
}
|
|
|
|
}
|
|
|
|
KerbFreeApRequest(Request);
|
|
KerbFreeString(&ServerName[0]);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
KerbFreeKey(TicketKey);
|
|
}
|
|
return(Status);
|
|
}
|
|
#endif // WIN32_CHICAGO
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbMarshallApReply
|
|
//
|
|
// Synopsis: Takes a reply and reply body and encrypts and marshalls them
|
|
// into a return message
|
|
//
|
|
// Effects: Allocates output buffer
|
|
//
|
|
// Arguments: Reply - The outer reply to marshall
|
|
// ReplyBody - The reply body to marshall
|
|
// EncryptionType - Encryption algorithm to use
|
|
// SessionKey - Session key to encrypt reply
|
|
// ContextFlags - Flags for context
|
|
// PackedReply - Recives marshalled reply buffer
|
|
// PackedReplySize - Receives size in bytes of marshalled reply
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS or STATUS_INSUFFICIENT_RESOURCES
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
KerbMarshallApReply(
|
|
IN PKERB_AP_REPLY Reply,
|
|
IN PKERB_ENCRYPTED_AP_REPLY ReplyBody,
|
|
IN ULONG EncryptionType,
|
|
IN PKERB_ENCRYPTION_KEY SessionKey,
|
|
IN ULONG ContextFlags,
|
|
IN ULONG ContextAttributes,
|
|
OUT PUCHAR * PackedReply,
|
|
OUT PULONG PackedReplySize
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
ULONG PackedApReplySize;
|
|
PUCHAR PackedApReply = NULL;
|
|
ULONG ReplySize;
|
|
PUCHAR ReplyWithHeader = NULL;
|
|
PUCHAR ReplyStart;
|
|
KERBERR KerbErr;
|
|
gss_OID_desc * MechId;
|
|
|
|
|
|
if (!KERB_SUCCESS(KerbPackApReplyBody(
|
|
ReplyBody,
|
|
&PackedApReplySize,
|
|
&PackedApReply
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now encrypt the response
|
|
//
|
|
KerbErr = KerbAllocateEncryptionBufferWrapper(
|
|
EncryptionType,
|
|
PackedApReplySize,
|
|
&Reply->encrypted_part.cipher_text.length,
|
|
&Reply->encrypted_part.cipher_text.value
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to get encryption overhead. 0x%x. %ws, line %d\n", KerbErr, THIS_FILE, __LINE__));
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
if (!KERB_SUCCESS(KerbEncryptDataEx(
|
|
&Reply->encrypted_part,
|
|
PackedApReplySize,
|
|
PackedApReply,
|
|
EncryptionType,
|
|
KERB_AP_REP_SALT,
|
|
SessionKey
|
|
)))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to encrypt AP Reply. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now pack the reply into the output buffer
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbPackApReply(
|
|
Reply,
|
|
PackedReplySize,
|
|
PackedReply
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If we aren't doing DCE style, add in the GSS token headers now
|
|
//
|
|
|
|
if ((ContextFlags & ISC_RET_USED_DCE_STYLE) != 0)
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
if ((ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0)
|
|
{
|
|
MechId = gss_mech_krb5_u2u;
|
|
}
|
|
else
|
|
{
|
|
MechId = gss_mech_krb5_new;
|
|
}
|
|
|
|
ReplySize = g_token_size(
|
|
MechId,
|
|
*PackedReplySize);
|
|
|
|
ReplyWithHeader = (PUCHAR) KerbAllocate(ReplySize);
|
|
if (ReplyWithHeader == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// the g_make_token_header will reset this to point to the end of the
|
|
// header
|
|
//
|
|
|
|
ReplyStart = ReplyWithHeader;
|
|
|
|
g_make_token_header(
|
|
MechId,
|
|
*PackedReplySize,
|
|
&ReplyStart,
|
|
KG_TOK_CTX_AP_REP
|
|
);
|
|
|
|
DsysAssert(ReplyStart - ReplyWithHeader + *PackedReplySize == ReplySize);
|
|
|
|
RtlCopyMemory(
|
|
ReplyStart,
|
|
*PackedReply,
|
|
*PackedReplySize
|
|
);
|
|
|
|
KerbFree(*PackedReply);
|
|
*PackedReply = ReplyWithHeader;
|
|
*PackedReplySize = ReplySize;
|
|
ReplyWithHeader = NULL;
|
|
|
|
Cleanup:
|
|
if (Reply->encrypted_part.cipher_text.value != NULL)
|
|
{
|
|
MIDL_user_free(Reply->encrypted_part.cipher_text.value);
|
|
Reply->encrypted_part.cipher_text.value = NULL;
|
|
}
|
|
if (PackedApReply != NULL)
|
|
{
|
|
MIDL_user_free(PackedApReply);
|
|
}
|
|
if (!NT_SUCCESS(Status) && (*PackedReply != NULL))
|
|
{
|
|
KerbFree(*PackedReply);
|
|
*PackedReply = NULL;
|
|
}
|
|
return(Status);
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildApReply
|
|
//
|
|
// Synopsis: Builds an AP reply message if mutual authentication is
|
|
// desired.
|
|
//
|
|
// Effects: InternalAuthenticator - Authenticator from the AP request
|
|
// this reply is for.
|
|
// Request - The AP request to which to reply.
|
|
// ContextFlags - Contains context flags from the AP request.
|
|
// SessionKey - The session key to use to build the reply,.
|
|
// receives the new session key (if KERB_AP_USE_SKEY
|
|
// is negotiated).
|
|
// NewReply - Receives the AP reply.
|
|
// NewReplySize - Receives the size of the AP reply.
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS, STATUS_INSUFFICIENT_MEMORY, or errors from
|
|
// KIEncryptData
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbBuildApReply(
|
|
IN PKERB_AUTHENTICATOR InternalAuthenticator,
|
|
IN PKERB_AP_REQUEST Request,
|
|
IN ULONG ContextFlags,
|
|
IN ULONG ContextAttributes,
|
|
IN PKERB_ENCRYPTION_KEY TicketKey,
|
|
IN OUT PKERB_ENCRYPTION_KEY SessionKey,
|
|
OUT PULONG Nonce,
|
|
OUT PUCHAR * NewReply,
|
|
OUT PULONG NewReplySize
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERB_AP_REPLY Reply = {0};
|
|
KERB_ENCRYPTED_AP_REPLY ReplyBody = {0};
|
|
KERB_ENCRYPTION_KEY NewSessionKey = {0};
|
|
BOOLEAN StrongEncryptionPermitted = KerbGlobalStrongEncryptionPermitted;
|
|
|
|
*NewReply = NULL;
|
|
*NewReplySize = 0;
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
{
|
|
SECPKG_CALL_INFO CallInfo;
|
|
|
|
if (!StrongEncryptionPermitted && LsaFunctions->GetCallInfo(&CallInfo))
|
|
{
|
|
if (CallInfo.Attributes & SECPKG_CALL_IN_PROC )
|
|
{
|
|
StrongEncryptionPermitted = TRUE;
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
Reply.version = KERBEROS_VERSION;
|
|
Reply.message_type = KRB_AP_REP;
|
|
|
|
|
|
|
|
ReplyBody.client_time = InternalAuthenticator->client_time;
|
|
ReplyBody.client_usec = InternalAuthenticator->client_usec;
|
|
|
|
//
|
|
// Generate a new nonce for the reply
|
|
//
|
|
|
|
*Nonce = KerbAllocateNonce();
|
|
|
|
|
|
D_DebugLog((DEB_TRACE,"BuildApReply using nonce 0x%x\n",*Nonce));
|
|
|
|
if (*Nonce != 0)
|
|
{
|
|
ReplyBody.KERB_ENCRYPTED_AP_REPLY_sequence_number = (int) *Nonce;
|
|
ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_sequence_number_present;
|
|
|
|
}
|
|
|
|
//
|
|
// If the client wants to use a session key, create one now
|
|
//
|
|
|
|
if ((InternalAuthenticator->bit_mask & KERB_AUTHENTICATOR_subkey_present) != 0 )
|
|
{
|
|
KERBERR KerbErr;
|
|
//
|
|
// If the client sent us an export-strength subkey, use it
|
|
//
|
|
|
|
if (KerbIsKeyExportable(
|
|
&InternalAuthenticator->KERB_AUTHENTICATOR_subkey
|
|
))
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT,"Client sent exportable key, using it on server on server\n"));
|
|
if (!KERB_SUCCESS(KerbDuplicateKey(
|
|
&NewSessionKey,
|
|
&InternalAuthenticator->KERB_AUTHENTICATOR_subkey
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
|
|
//
|
|
// If we are export-strength, create our own key. Otherwise use
|
|
// the client's key.
|
|
//
|
|
|
|
if (!StrongEncryptionPermitted)
|
|
{
|
|
|
|
D_DebugLog((DEB_TRACE_CTXT,"Client sent strong key, making exportable key on server\n"));
|
|
|
|
KerbErr = KerbMakeExportableKey(
|
|
Request->authenticator.encryption_type,
|
|
&NewSessionKey
|
|
);
|
|
|
|
}
|
|
else
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT,"Client sent strong key, using it on server on server\n"));
|
|
KerbErr = KerbDuplicateKey(
|
|
&NewSessionKey,
|
|
&InternalAuthenticator->KERB_AUTHENTICATOR_subkey
|
|
);
|
|
}
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
}
|
|
ReplyBody.KERB_ENCRYPTED_AP_REPLY_subkey = NewSessionKey;
|
|
ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_subkey_present;
|
|
}
|
|
else
|
|
{
|
|
KERBERR KerbErr;
|
|
//
|
|
// Create a subkey ourselves if we are export strength
|
|
//
|
|
|
|
if (!StrongEncryptionPermitted)
|
|
{
|
|
D_DebugLog((DEB_TRACE_CTXT,"Client sent no key, making exportable on server\n"));
|
|
KerbErr = KerbMakeExportableKey(
|
|
Request->authenticator.encryption_type,
|
|
&NewSessionKey
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
KerbErr = KerbMakeKey(
|
|
Request->authenticator.encryption_type,
|
|
&NewSessionKey
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
}
|
|
ReplyBody.KERB_ENCRYPTED_AP_REPLY_subkey = NewSessionKey;
|
|
ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_subkey_present;
|
|
}
|
|
|
|
Status = KerbMarshallApReply(
|
|
&Reply,
|
|
&ReplyBody,
|
|
Request->authenticator.encryption_type,
|
|
TicketKey,
|
|
ContextFlags,
|
|
ContextAttributes,
|
|
NewReply,
|
|
NewReplySize
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If they asked for a session key, replace our current session key
|
|
// with it.
|
|
//
|
|
|
|
if (NewSessionKey.keyvalue.value != NULL)
|
|
{
|
|
KerbFreeKey(SessionKey);
|
|
*SessionKey = NewSessionKey;
|
|
RtlZeroMemory(
|
|
&NewSessionKey,
|
|
sizeof(KERB_ENCRYPTION_KEY)
|
|
);
|
|
}
|
|
|
|
Cleanup:
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
KerbFreeKey(&NewSessionKey);
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildThirdLegApReply
|
|
//
|
|
// Synopsis: Builds a third leg AP reply message if DCE-style
|
|
// authentication is desired.
|
|
//
|
|
// Effects: Context - Context for which to build this message.
|
|
// NewReply - Receives the AP reply.
|
|
// NewReplySize - Receives the size of the AP reply.
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS, STATUS_INSUFFICIENT_MEMORY, or errors from
|
|
// KIEncryptData
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbBuildThirdLegApReply(
|
|
IN PKERB_CONTEXT Context,
|
|
IN ULONG ReceiveNonce,
|
|
OUT PUCHAR * NewReply,
|
|
OUT PULONG NewReplySize
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERB_AP_REPLY Reply;
|
|
KERB_ENCRYPTED_AP_REPLY ReplyBody;
|
|
TimeStamp CurrentTime;
|
|
|
|
RtlZeroMemory(
|
|
&Reply,
|
|
sizeof(KERB_AP_REPLY)
|
|
);
|
|
RtlZeroMemory(
|
|
&ReplyBody,
|
|
sizeof(KERB_ENCRYPTED_AP_REPLY)
|
|
);
|
|
*NewReply = NULL;
|
|
*NewReplySize = 0;
|
|
|
|
|
|
Reply.version = KERBEROS_VERSION;
|
|
Reply.message_type = KRB_AP_REP;
|
|
|
|
|
|
GetSystemTimeAsFileTime((PFILETIME)
|
|
&CurrentTime
|
|
);
|
|
|
|
KerbConvertLargeIntToGeneralizedTimeWrapper(
|
|
&ReplyBody.client_time,
|
|
&ReplyBody.client_usec,
|
|
&CurrentTime
|
|
);
|
|
|
|
|
|
ReplyBody.KERB_ENCRYPTED_AP_REPLY_sequence_number = ReceiveNonce;
|
|
ReplyBody.bit_mask |= KERB_ENCRYPTED_AP_REPLY_sequence_number_present;
|
|
|
|
D_DebugLog((DEB_TRACE,"Building third leg AP reply with nonce 0x%x\n",ReceiveNonce));
|
|
//
|
|
// We already negotiated context flags so don't bother filling them in
|
|
// now.
|
|
//
|
|
|
|
|
|
KerbReadLockContexts();
|
|
|
|
Status = KerbMarshallApReply(
|
|
&Reply,
|
|
&ReplyBody,
|
|
Context->EncryptionType,
|
|
&Context->TicketKey,
|
|
Context->ContextFlags,
|
|
Context->ContextAttributes,
|
|
NewReply,
|
|
NewReplySize
|
|
);
|
|
KerbUnlockContexts();
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
Cleanup:
|
|
return(Status);
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbVerifyApReply
|
|
//
|
|
// Synopsis: Verifies an AP reply corresponds to an AP request
|
|
//
|
|
// Effects: Decrypts the AP reply
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS or STATUS_LOGON_FAILURE
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbVerifyApReply(
|
|
IN PKERB_CONTEXT Context,
|
|
IN PUCHAR PackedReply,
|
|
IN ULONG PackedReplySize,
|
|
OUT PULONG Nonce
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERBERR KerbErr;
|
|
PKERB_AP_REPLY Reply = NULL;
|
|
PKERB_ENCRYPTED_AP_REPLY ReplyBody = NULL;
|
|
BOOLEAN ContextsLocked = FALSE;
|
|
ULONG StrippedReplySize = PackedReplySize;
|
|
PUCHAR StrippedReply = PackedReply;
|
|
gss_OID_desc * MechId;
|
|
BOOLEAN StrongEncryptionPermitted = KerbGlobalStrongEncryptionPermitted;
|
|
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
{
|
|
SECPKG_CALL_INFO CallInfo;
|
|
|
|
if (!StrongEncryptionPermitted && LsaFunctions->GetCallInfo(&CallInfo))
|
|
{
|
|
if (CallInfo.Attributes & SECPKG_CALL_IN_PROC )
|
|
{
|
|
StrongEncryptionPermitted = TRUE;
|
|
}
|
|
}
|
|
}
|
|
#endif
|
|
|
|
//
|
|
// Verify the GSSAPI header
|
|
//
|
|
|
|
KerbReadLockContexts();
|
|
if ((Context->ContextFlags & ISC_RET_USED_DCE_STYLE) == 0)
|
|
{
|
|
if ((Context->ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0)
|
|
{
|
|
MechId = gss_mech_krb5_u2u;
|
|
}
|
|
else
|
|
{
|
|
MechId = gss_mech_krb5_new;
|
|
}
|
|
if (!g_verify_token_header(
|
|
(gss_OID) MechId,
|
|
(INT *) &StrippedReplySize,
|
|
&StrippedReply,
|
|
KG_TOK_CTX_AP_REP,
|
|
PackedReplySize
|
|
))
|
|
{
|
|
//
|
|
// BUG 454895: remove when not needed for compatibility
|
|
//
|
|
|
|
//
|
|
// if that didn't work, just use the token as it is.
|
|
//
|
|
|
|
StrippedReply = PackedReply;
|
|
StrippedReplySize = PackedReplySize;
|
|
D_DebugLog((DEB_WARN,"Didn't find GSS header on AP Reply\n"));
|
|
|
|
}
|
|
}
|
|
KerbUnlockContexts();
|
|
|
|
if (!KERB_SUCCESS(KerbUnpackApReply(
|
|
StrippedReply,
|
|
StrippedReplySize,
|
|
&Reply
|
|
)))
|
|
{
|
|
D_DebugLog((DEB_WARN,"Failed to unpack AP reply\n"));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
if ((Reply->version != KERBEROS_VERSION) ||
|
|
(Reply->message_type != KRB_AP_REP))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Illegal version or message as AP reply: 0x%x, 0x%x. %ws, line %d\n",
|
|
Reply->version, Reply->message_type, THIS_FILE, __LINE__ ));
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Now decrypt the encrypted part.
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
ContextsLocked = TRUE;
|
|
KerbReadLockTicketCache();
|
|
|
|
KerbErr = KerbDecryptDataEx(
|
|
&Reply->encrypted_part,
|
|
&Context->TicketKey,
|
|
KERB_AP_REP_SALT,
|
|
(PULONG) &Reply->encrypted_part.cipher_text.length,
|
|
Reply->encrypted_part.cipher_text.value
|
|
);
|
|
KerbUnlockTicketCache();
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
DebugLog((DEB_ERROR, "Failed to decrypt AP reply: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
if (KerbErr == KRB_ERR_GENERIC)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_LOGON_FAILURE;
|
|
}
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Decode the contents now
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbUnpackApReplyBody(
|
|
Reply->encrypted_part.cipher_text.value,
|
|
Reply->encrypted_part.cipher_text.length,
|
|
&ReplyBody)))
|
|
{
|
|
DebugLog((DEB_ERROR, "Failed to unpack AP reply body. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
if ((ReplyBody->bit_mask & KERB_ENCRYPTED_AP_REPLY_sequence_number_present) != 0)
|
|
{
|
|
*Nonce = ReplyBody->KERB_ENCRYPTED_AP_REPLY_sequence_number;
|
|
|
|
D_DebugLog((DEB_TRACE,"Verifying AP reply: AP nonce = 0x%x, context nonce = 0x%x, receive nonce = 0x%x\n",
|
|
*Nonce,
|
|
Context->Nonce,
|
|
Context->ReceiveNonce
|
|
));
|
|
//
|
|
// If this is a third-leg AP reply, verify the nonce.
|
|
//
|
|
|
|
if ((Context->ContextAttributes & KERB_CONTEXT_INBOUND) != 0)
|
|
{
|
|
if (*Nonce != Context->Nonce)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Nonce in third-leg AP rep didn't match context: 0x%x vs 0x%x\n",
|
|
*Nonce, Context->Nonce ));
|
|
Status = STATUS_LOGON_FAILURE;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
*Nonce = 0;
|
|
}
|
|
|
|
//
|
|
// Check to see if a new session key was sent back. If it was, stick it
|
|
// in the context.
|
|
//
|
|
|
|
|
|
if ((ReplyBody->bit_mask & KERB_ENCRYPTED_AP_REPLY_subkey_present) != 0)
|
|
{
|
|
if (!StrongEncryptionPermitted)
|
|
{
|
|
if (!KerbIsKeyExportable(&ReplyBody->KERB_ENCRYPTED_AP_REPLY_subkey))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Server did not accept client's export strength key. %ws, line %d\n", THIS_FILE, __LINE__));
|
|
|
|
Status = STATUS_STRONG_CRYPTO_NOT_SUPPORTED;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
KerbFreeKey(&Context->SessionKey);
|
|
if (!KERB_SUCCESS(KerbDuplicateKey(
|
|
&Context->SessionKey,
|
|
&ReplyBody->KERB_ENCRYPTED_AP_REPLY_subkey
|
|
)))
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
if (ContextsLocked)
|
|
{
|
|
KerbUnlockContexts();
|
|
}
|
|
|
|
if (Reply != NULL)
|
|
{
|
|
KerbFreeApReply(Reply);
|
|
}
|
|
if (ReplyBody != NULL)
|
|
{
|
|
KerbFreeApReplyBody(ReplyBody);
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbInitTicketHandling
|
|
//
|
|
// Synopsis: Initializes ticket handling, such as authenticator list
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: none
|
|
//
|
|
// Requires: NTSTATUS code
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbInitTicketHandling(
|
|
VOID
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
TimeStamp MaxAuthenticatorAge;
|
|
#ifndef WIN32_CHICAGO
|
|
LPNET_CONFIG_HANDLE ConfigHandle = NULL;
|
|
BOOL TempBool;
|
|
#endif // WIN32_CHICAGO
|
|
ULONG SkewTimeInMinutes = KERB_DEFAULT_SKEWTIME;
|
|
NET_API_STATUS NetStatus = ERROR_SUCCESS;
|
|
ULONG FarKdcTimeout = KERB_BINDING_FAR_DC_TIMEOUT;
|
|
ULONG NearKdcTimeout = KERB_BINDING_NEAR_DC_TIMEOUT;
|
|
ULONG SpnCacheTimeout = KERB_SPN_CACHE_TIMEOUT;
|
|
//
|
|
// Initialize the kerberos token source
|
|
//
|
|
|
|
RtlCopyMemory(
|
|
KerberosSource.SourceName,
|
|
"Kerberos",
|
|
sizeof("Kerberos")
|
|
);
|
|
|
|
NtAllocateLocallyUniqueId(&KerberosSource.SourceIdentifier);
|
|
|
|
KerbGlobalKdcWaitTime = KERB_KDC_WAIT_TIME;
|
|
KerbGlobalKdcCallTimeout = KERB_KDC_CALL_TIMEOUT;
|
|
KerbGlobalKdcCallBackoff = KERB_KDC_CALL_TIMEOUT_BACKOFF;
|
|
KerbGlobalMaxDatagramSize = KERB_MAX_DATAGRAM_SIZE;
|
|
KerbGlobalKdcSendRetries = KERB_MAX_RETRIES;
|
|
KerbGlobalMaxReferralCount = KERB_MAX_REFERRAL_COUNT;
|
|
KerbGlobalUseSidCache = KERB_DEFAULT_USE_SIDCACHE;
|
|
KerbGlobalUseStrongEncryptionForDatagram = KERB_DEFAULT_USE_STRONG_ENC_DG;
|
|
KerbGlobalDefaultPreauthEtype = KERB_ETYPE_RC4_HMAC_NT;
|
|
KerbGlobalMaxTokenSize = KERBEROS_MAX_TOKEN;
|
|
|
|
#ifndef WIN32_CHICAGO
|
|
//
|
|
// Set the max authenticator age to be less than the allowed skew time
|
|
// on debug builds so we can have widely varying time on machines but
|
|
// don't build up a huge list of authenticators.
|
|
//
|
|
|
|
NetStatus = NetpOpenConfigDataWithPath(
|
|
&ConfigHandle,
|
|
NULL, // no server name
|
|
KERB_PARAMETER_PATH,
|
|
TRUE // read only
|
|
);
|
|
if (NetStatus == ERROR_SUCCESS)
|
|
{
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_SKEWTIME,
|
|
KERB_DEFAULT_SKEWTIME,
|
|
&SkewTimeInMinutes
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_MAX_TOKEN_SIZE,
|
|
KERBEROS_MAX_TOKEN,
|
|
&KerbGlobalMaxTokenSize
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Get the far timeout for the kdc
|
|
//
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_FAR_KDC_TIMEOUT,
|
|
KERB_BINDING_FAR_DC_TIMEOUT,
|
|
&FarKdcTimeout
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Get the near timeout for the kdc
|
|
//
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_NEAR_KDC_TIMEOUT,
|
|
KERB_BINDING_NEAR_DC_TIMEOUT,
|
|
&NearKdcTimeout
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Get the near timeout for the kdc
|
|
//
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_SPN_CACHE_TIMEOUT,
|
|
KERB_SPN_CACHE_TIMEOUT,
|
|
&SpnCacheTimeout
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Get the wait time for the service to start
|
|
//
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_START_TIME,
|
|
KERB_KDC_WAIT_TIME,
|
|
&KerbGlobalKdcWaitTime
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_KDC_CALL_TIMEOUT,
|
|
KERB_KDC_CALL_TIMEOUT,
|
|
&KerbGlobalKdcCallTimeout
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_MAX_UDP_PACKET,
|
|
KERB_MAX_DATAGRAM_SIZE,
|
|
&KerbGlobalMaxDatagramSize
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_KDC_BACKOFF_TIME,
|
|
KERB_KDC_CALL_TIMEOUT_BACKOFF,
|
|
&KerbGlobalKdcCallBackoff
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_MAX_REFERRAL_COUNT,
|
|
KERB_MAX_REFERRAL_COUNT,
|
|
&KerbGlobalMaxReferralCount
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_KDC_SEND_RETRIES,
|
|
KERB_MAX_RETRIES,
|
|
&KerbGlobalKdcSendRetries
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_LOG_LEVEL,
|
|
KERB_DEFAULT_LOGLEVEL,
|
|
&KerbGlobalLoggingLevel
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_DEFAULT_ETYPE,
|
|
KerbGlobalDefaultPreauthEtype,
|
|
&KerbGlobalDefaultPreauthEtype
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_REQUEST_OPTIONS,
|
|
KERB_ADDITIONAL_KDC_OPTIONS,
|
|
&KerbGlobalKdcOptions
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
NetStatus = NetpGetConfigBool(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_USE_SID_CACHE,
|
|
KERB_DEFAULT_USE_SIDCACHE,
|
|
&TempBool
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
KerbGlobalUseSidCache = (BOOLEAN)( TempBool != 0 );
|
|
|
|
//
|
|
// BUG 454981: get this from the same place as NTLM
|
|
//
|
|
|
|
NetStatus = NetpGetConfigBool(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_STRONG_ENC_DG,
|
|
KERB_DEFAULT_USE_STRONG_ENC_DG,
|
|
&TempBool
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
KerbGlobalUseStrongEncryptionForDatagram = (BOOLEAN)(TempBool != 0 );
|
|
|
|
//
|
|
// Bug 356539: configuration key to regulate whether clients request
|
|
// addresses in tickets
|
|
//
|
|
|
|
NetStatus = NetpGetConfigBool(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_CLIENT_IP_ADDRESSES,
|
|
KERB_DEFAULT_CLIENT_IP_ADDRESSES,
|
|
&TempBool
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
KerbGlobalUseClientIpAddresses = (BOOLEAN)( TempBool != 0 );
|
|
|
|
//
|
|
// Bug 353767: configuration key to regulate the TGT renewal interval
|
|
// - set to 10 hours less 5 minutes by default
|
|
//
|
|
|
|
NetStatus = NetpGetConfigDword(
|
|
ConfigHandle,
|
|
KERB_PARAMETER_TGT_RENEWAL_INTERVAL,
|
|
KERB_DEFAULT_TGT_RENEWAL_INTERVAL,
|
|
&KerbGlobalTgtRenewalInterval
|
|
);
|
|
if (!NT_SUCCESS(NetStatus))
|
|
{
|
|
Status = NetpApiStatusToNtStatus(NetStatus);
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
#endif // WIN32_CHICAGO
|
|
|
|
|
|
KerbSetTimeInMinutes(&KerbGlobalSkewTime, SkewTimeInMinutes);
|
|
KerbSetTimeInMinutes(&MaxAuthenticatorAge, SkewTimeInMinutes);
|
|
KerbSetTimeInMinutes(&KerbGlobalFarKdcTimeout,FarKdcTimeout);
|
|
KerbSetTimeInMinutes(&KerbGlobalNearKdcTimeout, NearKdcTimeout);
|
|
KerbSetTimeInMinutes(&KerbGlobalSpnCacheTimeout, SpnCacheTimeout);
|
|
#ifndef WIN32_CHICAGO
|
|
Authenticators = new CAuthenticatorList( MaxAuthenticatorAge );
|
|
if (Authenticators == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
#endif WIN32_CHICAGO
|
|
|
|
|
|
//
|
|
// Initialize the time skew code
|
|
//
|
|
|
|
Status = KerbInitializeSkewState();
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
Cleanup:
|
|
#ifndef WIN32_CHICAGO
|
|
if (ConfigHandle != NULL)
|
|
{
|
|
NetpCloseConfigData( ConfigHandle );
|
|
}
|
|
#endif // WIN32_CHICAGO
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbCleanupTicketHandling
|
|
//
|
|
// Synopsis: cleans up ticket handling state, such as the
|
|
// list of authenticators.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: none
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
VOID
|
|
KerbCleanupTicketHandling(
|
|
VOID
|
|
)
|
|
{
|
|
#ifndef WIN32_CHICAGO
|
|
if (Authenticators != NULL)
|
|
{
|
|
delete Authenticators;
|
|
}
|
|
#endif // WIN32_CHICAGO
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildTgtRequest
|
|
//
|
|
// Synopsis: Creates a tgt request for user-to-user authentication
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbBuildTgtRequest(
|
|
IN PKERB_INTERNAL_NAME TargetName,
|
|
IN PUNICODE_STRING TargetRealm,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PUCHAR * MarshalledTgtRequest,
|
|
OUT PULONG TgtRequestSize
|
|
)
|
|
{
|
|
KERB_TGT_REQUEST Request = {0};
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PBYTE TempRequest = NULL;
|
|
PBYTE RequestStart;
|
|
ULONG TempRequestSize = 0;
|
|
|
|
//
|
|
// First build the request
|
|
//
|
|
|
|
Request.version = KERBEROS_VERSION;
|
|
Request.message_type = KRB_TGT_REQ;
|
|
if (TargetName->NameCount > 0)
|
|
{
|
|
KerbErr = KerbConvertKdcNameToPrincipalName(
|
|
&Request.KERB_TGT_REQUEST_server_name,
|
|
TargetName
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
Request.bit_mask |= KERB_TGT_REQUEST_server_name_present;
|
|
}
|
|
else
|
|
{
|
|
*ContextAttributes |= KERB_CONTEXT_REQ_SERVER_NAME;
|
|
}
|
|
|
|
if (TargetRealm->Length > 0)
|
|
{
|
|
KerbErr = KerbConvertUnicodeStringToRealm(
|
|
&Request.server_realm,
|
|
TargetRealm
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
Request.bit_mask |= server_realm_present;
|
|
}
|
|
else
|
|
{
|
|
*ContextAttributes |= KERB_CONTEXT_REQ_SERVER_REALM;
|
|
}
|
|
|
|
//
|
|
// Encode the request
|
|
//
|
|
|
|
KerbErr = KerbPackData(
|
|
&Request,
|
|
KERB_TGT_REQUEST_PDU,
|
|
&TempRequestSize,
|
|
&TempRequest
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now add on the space for the OID
|
|
//
|
|
|
|
*TgtRequestSize = g_token_size(
|
|
gss_mech_krb5_u2u,
|
|
TempRequestSize
|
|
);
|
|
*MarshalledTgtRequest = (PBYTE) MIDL_user_allocate(
|
|
*TgtRequestSize
|
|
);
|
|
if (*MarshalledTgtRequest == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Add the token ID & mechanism
|
|
//
|
|
|
|
RequestStart = *MarshalledTgtRequest;
|
|
|
|
g_make_token_header(
|
|
gss_mech_krb5_u2u,
|
|
TempRequestSize,
|
|
&RequestStart,
|
|
KG_TOK_CTX_TGT_REQ
|
|
);
|
|
|
|
RtlCopyMemory(
|
|
RequestStart,
|
|
TempRequest,
|
|
TempRequestSize
|
|
);
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
|
|
if (TempRequest != NULL )
|
|
{
|
|
MIDL_user_free(TempRequest);
|
|
}
|
|
KerbFreePrincipalName(
|
|
&Request.KERB_TGT_REQUEST_server_name
|
|
);
|
|
if ((Request.bit_mask & server_realm_present) != 0)
|
|
{
|
|
KerbFreeRealm(
|
|
&Request.server_realm
|
|
);
|
|
}
|
|
|
|
return(Status);
|
|
|
|
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildTgtReply
|
|
//
|
|
// Synopsis: Builds a TGT reply with the appropriate options set
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires: The logonsession / credential must be LOCKD!
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
NTSTATUS
|
|
KerbBuildTgtReply(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credentials,
|
|
IN PUNICODE_STRING pSuppRealm,
|
|
OUT PKERBERR ReturnedError,
|
|
OUT PBYTE * MarshalledReply,
|
|
OUT PULONG ReplySize,
|
|
OUT PKERB_TICKET_CACHE_ENTRY * TgtUsed
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
KERB_TICKET_CACHE_ENTRY* TicketGrantingTicket = NULL;
|
|
KERB_TGT_REPLY Reply = {0};
|
|
UNICODE_STRING TempName = {0};
|
|
BOOLEAN CrossRealm = FALSE;
|
|
|
|
*TgtUsed = NULL; ;
|
|
|
|
D_DebugLog((DEB_TRACE_U2U, "KerbBuildTgtReply SuppRealm %wZ\n", pSuppRealm));
|
|
|
|
Status = KerbGetTgtForService(
|
|
LogonSession,
|
|
Credentials,
|
|
NULL, // no credman on the server side
|
|
pSuppRealm, // SuppRealm is the server's realm
|
|
&TempName, // no target realm
|
|
KERB_TICKET_CACHE_PRIMARY_TGT,
|
|
&TicketGrantingTicket,
|
|
&CrossRealm
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status) || CrossRealm)
|
|
{
|
|
DebugLog((DEB_ERROR, "KerbBuildTgtReply failed to get TGT, CrossRealm ? %s\n", CrossRealm ? "true" : "false"));
|
|
*ReturnedError = KRB_AP_ERR_NO_TGT;
|
|
Status = STATUS_USER2USER_REQUIRED;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Reply.version = KERBEROS_VERSION;
|
|
Reply.message_type = KRB_TGT_REP;
|
|
|
|
KerbReadLockTicketCache();
|
|
Reply.ticket = TicketGrantingTicket->Ticket;
|
|
|
|
//
|
|
// Marshall the output
|
|
//
|
|
|
|
KerbErr = KerbPackData(
|
|
&Reply,
|
|
KERB_TGT_REPLY_PDU,
|
|
ReplySize,
|
|
MarshalledReply
|
|
);
|
|
|
|
KerbUnlockTicketCache();
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
*TgtUsed = TicketGrantingTicket;
|
|
TicketGrantingTicket = NULL;
|
|
Cleanup:
|
|
|
|
if (TicketGrantingTicket != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(TicketGrantingTicket);
|
|
}
|
|
|
|
KerbFreeString(&TempName);
|
|
|
|
return(Status);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbBuildTgtErrorReply
|
|
//
|
|
// Synopsis: Builds a TgtReply message for use in a KERB_ERROR message
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
NTSTATUS
|
|
KerbBuildTgtErrorReply(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN BOOLEAN UseSuppliedCreds,
|
|
IN OUT PKERB_CONTEXT Context,
|
|
OUT PULONG ReplySize,
|
|
OUT PBYTE * Reply
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
PKERB_PRIMARY_CREDENTIAL PrimaryCredentials;
|
|
PKERB_TICKET_CACHE_ENTRY TgtUsed = NULL, OldTgt = NULL;
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
|
|
if ( UseSuppliedCreds )
|
|
{
|
|
PrimaryCredentials = Credential->SuppliedCredentials;
|
|
}
|
|
else
|
|
{
|
|
PrimaryCredentials = &LogonSession->PrimaryCredentials;
|
|
}
|
|
|
|
Status = KerbBuildTgtReply(
|
|
LogonSession,
|
|
Credential,
|
|
&PrimaryCredentials->DomainName,
|
|
&KerbErr,
|
|
Reply,
|
|
ReplySize,
|
|
&TgtUsed
|
|
);
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
|
|
//
|
|
// Store the cache entry in the context
|
|
//
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
KerbWriteLockContexts();
|
|
OldTgt = Context->TicketCacheEntry;
|
|
Context->TicketCacheEntry = TgtUsed;
|
|
|
|
//
|
|
// On the error path, do not set KERB_CONTEXT_USER_TO_USER because the
|
|
// client do not expect user2user at this moment
|
|
//
|
|
// Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
|
|
//
|
|
|
|
KerbUnlockContexts();
|
|
|
|
DebugLog((DEB_TRACE_U2U, "KerbHandleTgtRequest (TGT in error reply) saving ASC context->TicketCacheEntry, TGT is %p, was %p\n", TgtUsed, OldTgt));
|
|
|
|
TgtUsed = NULL;
|
|
|
|
if (OldTgt != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(OldTgt);
|
|
}
|
|
}
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbHandleTgtRequest
|
|
//
|
|
// Synopsis: Processes a request for a TGT. It will verify the supplied
|
|
// principal names and marshall a TGT response structure
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
KerbHandleTgtRequest(
|
|
IN PKERB_LOGON_SESSION LogonSession,
|
|
IN PKERB_CREDENTIAL Credential,
|
|
IN BOOLEAN UseSuppliedCreds,
|
|
IN PUCHAR RequestMessage,
|
|
IN ULONG RequestSize,
|
|
IN ULONG ContextRequirements,
|
|
IN PSecBuffer OutputToken,
|
|
IN PLUID LogonId,
|
|
OUT PULONG ContextAttributes,
|
|
OUT PKERB_CONTEXT * Context,
|
|
OUT PTimeStamp ContextLifetime,
|
|
OUT PKERBERR ReturnedError
|
|
)
|
|
{
|
|
ULONG StrippedRequestSize;
|
|
PUCHAR StrippedRequest;
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PKERB_TGT_REQUEST Request = NULL;
|
|
BOOLEAN LockAcquired = FALSE;
|
|
PKERB_PRIMARY_CREDENTIAL PrimaryCredentials;
|
|
PKERB_TICKET_CACHE_ENTRY CacheEntry = NULL;
|
|
PKERB_TICKET_CACHE_ENTRY pOldTgt = NULL;
|
|
ULONG ReplySize = 0;
|
|
PBYTE MarshalledReply = NULL;
|
|
ULONG FinalSize;
|
|
PBYTE ReplyStart;
|
|
PKERB_TICKET_CACHE_ENTRY TgtUsed = NULL;
|
|
|
|
D_DebugLog((DEB_TRACE,"Handling TGT request\n"));
|
|
StrippedRequestSize = RequestSize;
|
|
StrippedRequest = RequestMessage;
|
|
|
|
*ReturnedError = KDC_ERR_NONE;
|
|
|
|
//
|
|
// We need an output token
|
|
//
|
|
|
|
if (OutputToken == NULL)
|
|
{
|
|
return(SEC_E_INVALID_TOKEN);
|
|
}
|
|
|
|
//
|
|
// Check if this is user-to-user kerberos
|
|
//
|
|
|
|
if (g_verify_token_header(
|
|
gss_mech_krb5_u2u,
|
|
(INT *) &StrippedRequestSize,
|
|
&StrippedRequest,
|
|
KG_TOK_CTX_TGT_REQ,
|
|
RequestSize))
|
|
{
|
|
*ContextAttributes |= ASC_RET_USE_SESSION_KEY;
|
|
|
|
}
|
|
else
|
|
{
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Decode the tgt request message.
|
|
//
|
|
|
|
KerbErr = KerbUnpackData(
|
|
StrippedRequest,
|
|
StrippedRequestSize,
|
|
KERB_TGT_REQUEST_PDU,
|
|
(PVOID *) &Request
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to decode TGT request: 0x%x. %ws, line %d\n",KerbErr, THIS_FILE, __LINE__));
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbReadLockLogonSessions(LogonSession);
|
|
|
|
if ( UseSuppliedCreds )
|
|
{
|
|
PrimaryCredentials = Credential->SuppliedCredentials;
|
|
}
|
|
else
|
|
{
|
|
PrimaryCredentials = &LogonSession->PrimaryCredentials;
|
|
}
|
|
LockAcquired = TRUE;
|
|
|
|
//
|
|
// Check the supplied principal name and realm to see if it matches
|
|
// out credentials
|
|
//
|
|
|
|
//
|
|
// We don't need to verify the server name because the client can do
|
|
// that.
|
|
//
|
|
|
|
//
|
|
// Allocate a context
|
|
//
|
|
|
|
Status = KerbCreateEmptyContext(
|
|
Credential,
|
|
ASC_RET_USE_SESSION_KEY, // indicating user-to-user
|
|
KERB_CONTEXT_USER_TO_USER | KERB_CONTEXT_INBOUND,
|
|
LogonId,
|
|
Context,
|
|
ContextLifetime
|
|
);
|
|
|
|
DebugLog((DEB_TRACE_U2U, "KerbHandleTgtRequest (TGT in TGT reply) USER2USER-INBOUND set %#x\n", Status));
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Put it in the context for later use
|
|
//
|
|
|
|
Status = KerbBuildTgtReply(
|
|
LogonSession,
|
|
Credential,
|
|
&PrimaryCredentials->DomainName,
|
|
ReturnedError,
|
|
&MarshalledReply,
|
|
&ReplySize,
|
|
&TgtUsed
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Put it in the context for later use
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
pOldTgt = (*Context)->TicketCacheEntry;
|
|
(*Context)->TicketCacheEntry = TgtUsed;
|
|
KerbUnlockContexts();
|
|
|
|
DebugLog((DEB_TRACE_U2U, "KerbHandleTgtRequest (TGT in TGT reply) saving ASC context->TicketCacheEntry, TGT is %p, was %p\n", TgtUsed, pOldTgt));
|
|
TgtUsed = NULL;
|
|
|
|
if (pOldTgt)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(pOldTgt);
|
|
}
|
|
|
|
//
|
|
// Now build the output message
|
|
//
|
|
|
|
FinalSize = g_token_size(
|
|
gss_mech_krb5_u2u,
|
|
ReplySize
|
|
);
|
|
|
|
|
|
if ((ContextRequirements & ASC_REQ_ALLOCATE_MEMORY) == 0)
|
|
{
|
|
if (OutputToken->cbBuffer < FinalSize)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Output token is too small - sent in %d, needed %d. %ws, line %d\n",
|
|
OutputToken->cbBuffer,ReplySize, THIS_FILE, __LINE__ ));
|
|
Status = STATUS_BUFFER_TOO_SMALL;
|
|
goto Cleanup;
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
OutputToken->pvBuffer = KerbAllocate(FinalSize);
|
|
if (OutputToken->pvBuffer == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
*ContextAttributes |= ISC_RET_ALLOCATED_MEMORY;
|
|
}
|
|
|
|
ReplyStart = (PUCHAR) OutputToken->pvBuffer;
|
|
g_make_token_header(
|
|
gss_mech_krb5_u2u,
|
|
ReplySize,
|
|
&ReplyStart,
|
|
KG_TOK_CTX_TGT_REP
|
|
);
|
|
|
|
RtlCopyMemory(
|
|
ReplyStart,
|
|
MarshalledReply,
|
|
ReplySize
|
|
);
|
|
|
|
OutputToken->cbBuffer = FinalSize;
|
|
KerbWriteLockContexts();
|
|
(*Context)->ContextState = TgtReplySentState;
|
|
KerbUnlockContexts();
|
|
|
|
Cleanup:
|
|
if (LockAcquired)
|
|
{
|
|
KerbUnlockLogonSessions(LogonSession);
|
|
}
|
|
if (CacheEntry != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(CacheEntry);
|
|
}
|
|
|
|
if (TgtUsed != NULL)
|
|
{
|
|
KerbDereferenceTicketCacheEntry(TgtUsed);
|
|
}
|
|
if (MarshalledReply != NULL)
|
|
{
|
|
MIDL_user_free(MarshalledReply);
|
|
}
|
|
if (Request != NULL)
|
|
{
|
|
KerbFreeData(KERB_TGT_REQUEST_PDU, Request);
|
|
}
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbUnpackTgtReply
|
|
//
|
|
// Synopsis: Unpacks a TGT reply and verifies contents, sticking
|
|
// reply into context.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
KerbUnpackTgtReply(
|
|
IN PKERB_CONTEXT Context,
|
|
IN PUCHAR ReplyMessage,
|
|
IN ULONG ReplySize,
|
|
OUT PKERB_INTERNAL_NAME * TargetName,
|
|
OUT PUNICODE_STRING TargetRealm,
|
|
OUT PKERB_TGT_REPLY * Reply
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
UNICODE_STRING LocalTargetRealm = {0};
|
|
PUCHAR StrippedReply = ReplyMessage;
|
|
ULONG StrippedReplySize = ReplySize;
|
|
ULONG ContextAttributes;
|
|
|
|
*Reply = NULL;
|
|
KerbReadLockContexts();
|
|
ContextAttributes = Context->ContextAttributes;
|
|
KerbUnlockContexts();
|
|
|
|
D_DebugLog((DEB_TRACE_U2U, "KerbUnpackTgtReply is User2User set in ContextAttributes? %s\n", ContextAttributes & KERB_CONTEXT_USER_TO_USER ? "yes" : "no"));
|
|
|
|
//
|
|
// Verify the OID header on the response. If this wasn't a user-to-user
|
|
// context then the message came from a KERB_ERROR message and won't
|
|
// have the OID header.
|
|
//
|
|
|
|
if ((ContextAttributes & KERB_CONTEXT_USER_TO_USER) != 0)
|
|
{
|
|
if (!g_verify_token_header(
|
|
gss_mech_krb5_u2u,
|
|
(INT *) &StrippedReplySize,
|
|
&StrippedReply,
|
|
KG_TOK_CTX_TGT_REP,
|
|
ReplySize))
|
|
{
|
|
D_DebugLog((DEB_WARN, "Failed to verify u2u token header\n"));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
else
|
|
{
|
|
StrippedReply = ReplyMessage;
|
|
StrippedReplySize = ReplySize;
|
|
|
|
//
|
|
// this is an error tgt reply
|
|
//
|
|
|
|
KerbWriteLockContexts();
|
|
Context->ContextFlags |= ISC_RET_USE_SESSION_KEY;
|
|
|
|
//
|
|
// KERB_CONTEXT_USER_TO_USER needs to be set
|
|
//
|
|
|
|
Context->ContextAttributes |= KERB_CONTEXT_USER_TO_USER;
|
|
KerbUnlockContexts();
|
|
|
|
DebugLog((DEB_TRACE_U2U, "KerbUnpackTgtReply (TGT in error reply) USER2USER-OUTBOUND set\n"));
|
|
}
|
|
|
|
//
|
|
// Decode the response
|
|
//
|
|
|
|
KerbErr = KerbUnpackData(
|
|
StrippedReply,
|
|
StrippedReplySize,
|
|
KERB_TGT_REPLY_PDU,
|
|
(PVOID *) Reply
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Pull the target name & realm out of the TGT reply message
|
|
//
|
|
|
|
KerbErr = KerbConvertRealmToUnicodeString(
|
|
&LocalTargetRealm,
|
|
&(*Reply)->ticket.realm
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
Status = KerbMapKerbError(KerbErr);
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// If we were asked to get the server & realm name, use them now
|
|
//
|
|
|
|
//
|
|
// BUG 455793: we also use them if we weren't passed a target name on this
|
|
// call. Since we don't require names to be passed, though, this is
|
|
// a security problem, as mutual authentication is no longer guaranteed.
|
|
//
|
|
|
|
if (((ContextAttributes & KERB_CONTEXT_REQ_SERVER_REALM) != 0) ||
|
|
(TargetRealm->Length == 0))
|
|
{
|
|
KerbFreeString(
|
|
TargetRealm
|
|
);
|
|
*TargetRealm = LocalTargetRealm;
|
|
LocalTargetRealm.Buffer = NULL;
|
|
}
|
|
|
|
if (((ContextAttributes & KERB_CONTEXT_REQ_SERVER_NAME) != 0) ||
|
|
(((*TargetName)->NameCount == 1) && ((*TargetName)->Names[0].Length == 0)))
|
|
{
|
|
ULONG ProcessFlags = 0;
|
|
UNICODE_STRING TempRealm = {0};
|
|
|
|
KerbFreeKdcName(
|
|
TargetName
|
|
);
|
|
|
|
Status = KerbProcessTargetNames(
|
|
&Context->ServerPrincipalName,
|
|
NULL, // no local target name
|
|
0, // no flags
|
|
&ProcessFlags,
|
|
TargetName,
|
|
&TempRealm,
|
|
NULL
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
KerbFreeString(&TempRealm);
|
|
|
|
}
|
|
|
|
|
|
Cleanup:
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
if (*Reply != NULL)
|
|
{
|
|
KerbFreeData(
|
|
KERB_TGT_REPLY_PDU,
|
|
*Reply
|
|
);
|
|
*Reply = NULL;
|
|
}
|
|
}
|
|
|
|
if (LocalTargetRealm.Buffer != NULL)
|
|
{
|
|
KerbFreeString(
|
|
&LocalTargetRealm
|
|
);
|
|
}
|
|
|
|
return(Status);
|
|
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KerbComputeGssBindHash
|
|
//
|
|
// Synopsis: Computes the Channel Bindings Hash for GSSAPI
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires: At least 16 bytes allocated to HashBuffer
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
// (viz. RFC1964)
|
|
// MD5 hash of channel bindings, taken over all non-null
|
|
// components of bindings, in order of declaration.
|
|
// Integer fields within channel bindings are represented
|
|
// in little-endian order for the purposes of the MD5
|
|
// calculation.
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
KerbComputeGssBindHash(
|
|
IN PSEC_CHANNEL_BINDINGS pChannelBindings,
|
|
OUT PUCHAR HashBuffer
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PCHECKSUM_FUNCTION MD5Check = NULL;
|
|
PCHECKSUM_BUFFER MD5ScratchBuffer = NULL;
|
|
|
|
//
|
|
// Locate the MD5 Hash Function
|
|
//
|
|
Status = CDLocateCheckSum(KERB_CHECKSUM_MD5, &MD5Check);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure Locating MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Initialize the Buffer
|
|
//
|
|
Status = MD5Check->Initialize(0, &MD5ScratchBuffer);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure initializing MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Build the MD5 hash
|
|
//
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
sizeof(DWORD),
|
|
(PUCHAR) &pChannelBindings->dwInitiatorAddrType );
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
sizeof(DWORD),
|
|
(PUCHAR) &pChannelBindings->cbInitiatorLength );
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
|
|
if( pChannelBindings->cbInitiatorLength )
|
|
{
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
pChannelBindings->cbInitiatorLength,
|
|
(PUCHAR) pChannelBindings + pChannelBindings->dwInitiatorOffset);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
}
|
|
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
sizeof(DWORD),
|
|
(PUCHAR) &pChannelBindings->dwAcceptorAddrType);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
sizeof(DWORD),
|
|
(PUCHAR) &pChannelBindings->cbAcceptorLength);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
|
|
if( pChannelBindings->cbAcceptorLength)
|
|
{
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
pChannelBindings->cbAcceptorLength,
|
|
(PUCHAR) pChannelBindings + pChannelBindings->dwAcceptorOffset);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
}
|
|
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
sizeof(DWORD),
|
|
(PUCHAR) &pChannelBindings->cbApplicationDataLength);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
|
|
if( pChannelBindings->cbApplicationDataLength)
|
|
{
|
|
Status = MD5Check->Sum(MD5ScratchBuffer,
|
|
pChannelBindings->cbApplicationDataLength,
|
|
(PUCHAR) pChannelBindings + pChannelBindings->dwApplicationDataOffset);
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure building MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// Copy the hash results into the checksum field
|
|
//
|
|
DsysAssert( MD5Check->CheckSumSize == 4*sizeof(ULONG) );
|
|
|
|
Status = MD5Check->Finalize( MD5ScratchBuffer, HashBuffer );
|
|
|
|
if( !NT_SUCCESS(Status) )
|
|
{
|
|
D_DebugLog( (DEB_ERROR,
|
|
"Failure Finalizing MD5: 0x%x. %ws, line %d\n",
|
|
Status,
|
|
THIS_FILE,
|
|
__LINE__) );
|
|
|
|
goto Cleanup;
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
if( MD5Check != NULL )
|
|
{
|
|
MD5Check->Finish( &MD5ScratchBuffer );
|
|
}
|
|
|
|
return Status;
|
|
}
|