mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3818 lines
105 KiB
3818 lines
105 KiB
//+-----------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
//
|
|
// Copyright (c) Microsoft Corporation 1992 - 1999
|
|
//
|
|
// File: userapi.cxx
|
|
//
|
|
// Contents: User-mode APIs to the NtLm security package
|
|
//
|
|
// Main user mode entry points into this dll:
|
|
// SpUserModeInitialize
|
|
// SpInstanceInit
|
|
// SpDeleteUserModeContext
|
|
// SpInitUserModeContext
|
|
// SpMakeSignature
|
|
// SpVerifySignature
|
|
// SpSealMessage
|
|
// SpUnsealMessage
|
|
// SpGetContextToken
|
|
// SpQueryContextAttributes
|
|
// SpCompleteAuthToken
|
|
// SpFormatCredentials
|
|
// SpMarshallSupplementalCreds
|
|
// SpExportSecurityContext
|
|
// SpImportSecurityContext
|
|
//
|
|
// Helper functions:
|
|
// ReferenceUserContext
|
|
// FreeUserContext
|
|
// DereferenceUserContext
|
|
// SspGenCheckSum
|
|
// SspEncryptBuffer
|
|
// NtLmMakePackedContext(this is called in the client's process)
|
|
// NtLmCreateUserModeContext
|
|
// SspGetTokenUser
|
|
// SspCreateTokenDacl
|
|
// SspMapContext (this is called in Lsa mode)
|
|
//
|
|
// History: ChandanS 26-Jul-1996 Stolen from kerberos\client2\userapi.cxx
|
|
//
|
|
//------------------------------------------------------------------------
|
|
#include <global.h> // Globals!
|
|
#include "crc32.h" // How to use crc32
|
|
|
|
extern "C"
|
|
{
|
|
#include <nlp.h>
|
|
}
|
|
|
|
// Keep this is sync with NTLM_KERNEL_CONTEXT defined in
|
|
// security\msv_sspi\kernel\krnlapi.cxx
|
|
|
|
typedef struct _NTLM_CLIENT_CONTEXT{
|
|
union {
|
|
LIST_ENTRY Next;
|
|
KSEC_LIST_ENTRY KernelNext;
|
|
};
|
|
ULONG_PTR LsaContext;
|
|
ULONG NegotiateFlags;
|
|
HANDLE ClientTokenHandle;
|
|
PACCESS_TOKEN AccessToken;
|
|
PULONG pSendNonce; // ptr to nonce to use for send
|
|
PULONG pRecvNonce; // ptr to nonce to use for receive
|
|
struct RC4_KEYSTRUCT * pSealRc4Sched; // ptr to key sched used for Seal
|
|
struct RC4_KEYSTRUCT * pUnsealRc4Sched; // ptr to key sched used to Unseal
|
|
ULONG SendNonce;
|
|
ULONG RecvNonce;
|
|
LPWSTR ContextNames;
|
|
PUCHAR pbMarshalledTargetInfo;
|
|
ULONG cbMarshalledTargetInfo;
|
|
UCHAR SessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
|
|
ULONG ContextSignature;
|
|
ULONG References ;
|
|
TimeStamp PasswordExpiry;
|
|
ULONG UserFlags;
|
|
UCHAR SignSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
|
|
UCHAR VerifySessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
|
|
UCHAR SealSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
|
|
UCHAR UnsealSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
|
|
|
|
ULONG64 Pad1; // pad keystructs to 64.
|
|
struct RC4_KEYSTRUCT SealRc4Sched; // key struct used for Seal
|
|
ULONG64 Pad2; // pad keystructs to 64.
|
|
struct RC4_KEYSTRUCT UnsealRc4Sched; // key struct used to Unseal
|
|
} NTLM_CLIENT_CONTEXT, * PNTLM_CLIENT_CONTEXT;
|
|
|
|
typedef struct _NTLM_PACKED_CONTEXT {
|
|
ULONG Tag ;
|
|
ULONG NegotiateFlags ;
|
|
ULONG ClientTokenHandle ;
|
|
ULONG SendNonce ;
|
|
ULONG RecvNonce ;
|
|
UCHAR SessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
|
|
ULONG ContextSignature ;
|
|
TimeStamp PasswordExpiry ;
|
|
ULONG UserFlags ;
|
|
ULONG ContextNames ;
|
|
ULONG ContextNameLength ;
|
|
ULONG MarshalledTargetInfo; // offset
|
|
ULONG MarshalledTargetInfoLength;
|
|
UCHAR SignSessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
|
|
UCHAR VerifySessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
|
|
UCHAR SealSessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
|
|
UCHAR UnsealSessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
|
|
struct RC4_KEYSTRUCT SealRc4Sched;
|
|
struct RC4_KEYSTRUCT UnsealRc4Sched;
|
|
} NTLM_PACKED_CONTEXT, * PNTLM_PACKED_CONTEXT ;
|
|
|
|
#define NTLM_PACKED_CONTEXT_MAP 0
|
|
#define NTLM_PACKED_CONTEXT_EXPORT 1
|
|
|
|
#define CSSEALMAGIC "session key to client-to-server sealing key magic constant"
|
|
#define SCSEALMAGIC "session key to server-to-client sealing key magic constant"
|
|
#define CSSIGNMAGIC "session key to client-to-server signing key magic constant"
|
|
#define SCSIGNMAGIC "session key to server-to-client signing key magic constant"
|
|
|
|
|
|
|
|
#define NTLM_USERLIST_COUNT (16) // count of lists
|
|
#define NTLM_USERLIST_LOCK_COUNT (2) // count of locks
|
|
|
|
LIST_ENTRY NtLmUserContextList[ NTLM_USERLIST_COUNT ]; // list array.
|
|
ULONG NtLmUserContextCount[ NTLM_USERLIST_COUNT ]; // count of active contexts
|
|
RTL_RESOURCE NtLmUserContextLock[ NTLM_USERLIST_LOCK_COUNT ]; // lock array
|
|
|
|
|
|
// Counter for exported handles;never de-refed
|
|
// Should probably do a GetSystemInfo and get a space of handles that cannot
|
|
// be valid in the Lsa process
|
|
ULONG_PTR ExportedContext = 0;
|
|
|
|
NTSTATUS
|
|
SspCreateTokenDacl(
|
|
HANDLE Token
|
|
);
|
|
|
|
ULONG
|
|
HandleToListIndex(
|
|
ULONG_PTR ContextHandle
|
|
);
|
|
|
|
ULONG
|
|
__inline
|
|
ListIndexToLockIndex(
|
|
ULONG ListIndex
|
|
);
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpUserModeInitialize
|
|
//
|
|
// Synopsis: Initialize an the MSV1_0 DLL in a client's
|
|
// address space
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: LsaVersion - Version of the security dll loading the package
|
|
// PackageVersion - Version of the MSV1_0 package
|
|
// UserFunctionTable - Receives a copy of Kerberos's user mode
|
|
// function table
|
|
// pcTables - Receives count of tables returned.
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS
|
|
//
|
|
// Notes: we do what was done in SspInitLocalContexts()
|
|
// from net\svcdlls\ntlmssp\client\sign.c and more.
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
NTSTATUS
|
|
SEC_ENTRY
|
|
SpUserModeInitialize(
|
|
IN ULONG LsaVersion,
|
|
OUT PULONG PackageVersion,
|
|
OUT PSECPKG_USER_FUNCTION_TABLE * UserFunctionTable,
|
|
OUT PULONG pcTables
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
#if DBG
|
|
SspGlobalDbflag = SSP_CRITICAL;
|
|
if( NtLmState != NtLmLsaMode )
|
|
{
|
|
InitializeCriticalSection(&SspGlobalLogFileCritSect);
|
|
}
|
|
#endif
|
|
|
|
if (LsaVersion != SECPKG_INTERFACE_VERSION)
|
|
{
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
goto Cleanup;
|
|
}
|
|
|
|
*PackageVersion = SECPKG_INTERFACE_VERSION;
|
|
|
|
NtLmUserFunctionTable.InstanceInit = SpInstanceInit;
|
|
NtLmUserFunctionTable.MakeSignature = SpMakeSignature;
|
|
NtLmUserFunctionTable.VerifySignature = SpVerifySignature;
|
|
NtLmUserFunctionTable.SealMessage = SpSealMessage;
|
|
NtLmUserFunctionTable.UnsealMessage = SpUnsealMessage;
|
|
NtLmUserFunctionTable.GetContextToken = SpGetContextToken;
|
|
NtLmUserFunctionTable.QueryContextAttributes = SpQueryContextAttributes;
|
|
NtLmUserFunctionTable.CompleteAuthToken = SpCompleteAuthToken;
|
|
NtLmUserFunctionTable.InitUserModeContext = SpInitUserModeContext;
|
|
NtLmUserFunctionTable.DeleteUserModeContext = SpDeleteUserModeContext;
|
|
NtLmUserFunctionTable.FormatCredentials = SpFormatCredentials;
|
|
NtLmUserFunctionTable.MarshallSupplementalCreds = SpMarshallSupplementalCreds;
|
|
NtLmUserFunctionTable.ExportContext = SpExportSecurityContext;
|
|
NtLmUserFunctionTable.ImportContext = SpImportSecurityContext;
|
|
|
|
*UserFunctionTable = &NtLmUserFunctionTable;
|
|
*pcTables = 1;
|
|
|
|
|
|
if ( NtLmState != NtLmLsaMode)
|
|
{
|
|
//
|
|
// SafeAllocaInitialize was already called in SpLsaModeInitialize
|
|
//
|
|
|
|
SafeAllocaInitialize(SAFEALLOCA_USE_DEFAULT,
|
|
SAFEALLOCA_USE_DEFAULT,
|
|
NtLmAllocate,
|
|
NtLmFree);
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: ReferenceUserContext
|
|
//
|
|
// Synopsis: locates a user context in the list, refrences it
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: the context, if it is found, else NULL
|
|
//
|
|
// Notes: This was SspContextReferenceContext() in
|
|
// net\svcdlls\ntlmssp\common\context.c
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
PNTLM_CLIENT_CONTEXT
|
|
ReferenceUserContext(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN BOOLEAN RemoveContext )
|
|
{
|
|
SspPrint(( SSP_API_MORE, "Entering ReferenceUserContext for 0x%x\n", ContextHandle ));
|
|
PLIST_ENTRY ListEntry;
|
|
PNTLM_CLIENT_CONTEXT pContext = NULL;
|
|
ULONG ListIndex;
|
|
ULONG LockIndex;
|
|
|
|
ListIndex = HandleToListIndex( ContextHandle );
|
|
LockIndex = ListIndexToLockIndex( ListIndex );
|
|
|
|
RtlAcquireResourceShared(&NtLmUserContextLock[LockIndex], TRUE);
|
|
|
|
//
|
|
// Look for a match for the LsaContext, not user context
|
|
//
|
|
|
|
for (ListEntry = NtLmUserContextList[ListIndex].Flink;
|
|
ListEntry != &NtLmUserContextList[ListIndex];
|
|
ListEntry = ListEntry->Flink ) {
|
|
|
|
pContext = CONTAINING_RECORD(ListEntry, NTLM_CLIENT_CONTEXT, Next );
|
|
|
|
|
|
if (pContext->LsaContext != ContextHandle)
|
|
{
|
|
continue;
|
|
}
|
|
|
|
//
|
|
// Found it!
|
|
//
|
|
|
|
if (!RemoveContext)
|
|
{
|
|
InterlockedIncrement( (PLONG)&pContext->References );
|
|
RtlReleaseResource(&NtLmUserContextLock[LockIndex]);
|
|
}
|
|
else
|
|
{
|
|
RtlConvertSharedToExclusive(&NtLmUserContextLock[LockIndex]);
|
|
|
|
RemoveEntryList (&pContext->Next);
|
|
NtLmUserContextCount[ListIndex]--;
|
|
|
|
RtlReleaseResource(&NtLmUserContextLock[LockIndex]);
|
|
|
|
SspPrint(( SSP_API_MORE, "Delinked Context 0x%lx\n", pContext ));
|
|
}
|
|
|
|
SspPrint(( SSP_API_MORE, "Leaving ReferenceUserContext for 0x%x\n", ContextHandle));
|
|
return pContext;
|
|
}
|
|
|
|
|
|
// No match found
|
|
|
|
RtlReleaseResource(&NtLmUserContextLock[LockIndex]);
|
|
SspPrint(( SSP_API_MORE, "Leaving ReferenceUserContext for 0x%x\n", ContextHandle ));
|
|
return NULL;
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: FreeUserContext
|
|
//
|
|
// Synopsis: frees alloced pointers in this context and
|
|
// then frees the context
|
|
//
|
|
// Arguments: lContext - the unlinked user context
|
|
//
|
|
// Returns: STATUS_SUCCESS on success
|
|
//
|
|
// Notes:
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
NTSTATUS
|
|
FreeUserContext (
|
|
PNTLM_CLIENT_CONTEXT UserContext
|
|
)
|
|
{
|
|
SspPrint(( SSP_API_MORE, "Entering FreeUserContext for context 0x%x\n", UserContext ));
|
|
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
if (UserContext->ContextNames != NULL)
|
|
{
|
|
NtLmFree (UserContext->ContextNames);
|
|
}
|
|
|
|
if (UserContext->ClientTokenHandle != NULL)
|
|
{
|
|
NTSTATUS IgnoreStatus;
|
|
IgnoreStatus = NtClose(UserContext->ClientTokenHandle);
|
|
ASSERT (NT_SUCCESS (IgnoreStatus));
|
|
}
|
|
|
|
SspPrint(( SSP_API_MORE, "Deleting Context 0x%x\n", UserContext));
|
|
|
|
ZeroMemory( UserContext, sizeof(*UserContext) );
|
|
NtLmFree (UserContext);
|
|
|
|
SspPrint(( SSP_API_MORE, "Leaving FreeUserContext for context 0x%x, status = 0x%x\n", Status ));
|
|
|
|
return Status;
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: DereferenceUserContext
|
|
//
|
|
// Synopsis: frees alloced elements in the context, frees context
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: None
|
|
//
|
|
// Notes: This was SspContextDereferenceContext() in
|
|
// net\svcdlls\ntlmssp\common\context.c
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
NTSTATUS
|
|
DereferenceUserContext (
|
|
PNTLM_CLIENT_CONTEXT pContext
|
|
)
|
|
{
|
|
SspPrint(( SSP_API_MORE, "Entering DereferenceUserContext 0x%lx\n", pContext ));
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
LONG References;
|
|
|
|
//
|
|
// Decrement the reference count
|
|
//
|
|
|
|
/// RtlAcquireResourceShared(&NtLmUserContextLock, TRUE);
|
|
//// ASSERT (pContext->References >= 1);
|
|
//// References = -- pContext->References;
|
|
References = InterlockedDecrement( (PLONG)&pContext->References );
|
|
ASSERT( References >= 0 );
|
|
//// RtlReleaseResource(&NtLmUserContextLock);
|
|
|
|
//
|
|
// If the count has dropped to zero, then free all alloced stuff
|
|
//
|
|
|
|
if (References == 0)
|
|
{
|
|
Status = FreeUserContext(pContext);
|
|
}
|
|
SspPrint(( SSP_API_MORE, "Leaving DereferenceUserContext\n" ));
|
|
return Status;
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpInstanceInit
|
|
//
|
|
// Synopsis: Initialize an instance of the NtLm package in a client's
|
|
// address space
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: Version - Version of the security dll loading the package
|
|
// FunctionTable - Contains helper routines for use by NtLm
|
|
// UserFunctions - Receives a copy of NtLm's user mode
|
|
// function table
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS
|
|
//
|
|
// Notes: we do what was done in SspInitLocalContexts()
|
|
// from net\svcdlls\ntlmssp\client\sign.c and more.
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpInstanceInit(
|
|
IN ULONG Version,
|
|
IN PSECPKG_DLL_FUNCTIONS DllFunctionTable,
|
|
OUT PVOID * UserFunctionTable
|
|
)
|
|
{
|
|
SspPrint(( SSP_API, "Entering SpInstanceInit\n" ));
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
ULONG Index;
|
|
|
|
|
|
// Save the Alloc/Free functions
|
|
if( NtLmState != NtLmLsaMode )
|
|
{
|
|
NtLmState = NtLmUserMode;
|
|
}
|
|
|
|
UserFunctions = DllFunctionTable;
|
|
|
|
for( Index=0 ; Index < NTLM_USERLIST_COUNT ; Index++ )
|
|
{
|
|
InitializeListHead (&NtLmUserContextList[Index]);
|
|
}
|
|
|
|
for( Index=0 ; Index < NTLM_USERLIST_LOCK_COUNT ; Index++ )
|
|
{
|
|
__try {
|
|
RtlInitializeResource (&NtLmUserContextLock[Index]);
|
|
} __except(EXCEPTION_EXECUTE_HANDLER)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
break;
|
|
}
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpInstanceInit: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpDeleteUserModeContext
|
|
//
|
|
// Synopsis: Deletes a user mode context by unlinking it and then
|
|
// dereferencing it.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ContextHandle - Lsa context handle of the context to delete
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS on success, STATUS_INVALID_HANDLE if the
|
|
// context can't be located
|
|
//
|
|
// Notes:
|
|
// If this is an exported context, send a flag back to the LSA so that
|
|
// Lsa does not call the SecpDeleteSecurityContext in the lsa process
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpDeleteUserModeContext(
|
|
IN ULONG_PTR ContextHandle
|
|
)
|
|
{
|
|
SspPrint(( SSP_API, "Entering SpDeleteUserModeContext 0x%lx\n", ContextHandle ));
|
|
PNTLM_CLIENT_CONTEXT pContext = NULL;
|
|
NTSTATUS Status = STATUS_SUCCESS, SaveStatus = STATUS_SUCCESS;
|
|
|
|
//
|
|
// Find the currently existing user context and delink it
|
|
// so that another context cannot Reference it before we
|
|
// Dereference this one.
|
|
//
|
|
|
|
pContext = ReferenceUserContext(ContextHandle, TRUE);
|
|
|
|
if (pContext == NULL)
|
|
{
|
|
//
|
|
// pContext is legally NULL when we are dealing with an incomplete
|
|
// context. This can often be the case when the second call to
|
|
// InitializeSecurityContext() fails.
|
|
//
|
|
/// Status = STATUS_INVALID_HANDLE;
|
|
Status = STATUS_SUCCESS;
|
|
SspPrint(( SSP_API_MORE, "SpDeleteUserModeContext, local pContext is NULL\n" ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
|
|
if ((pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT) != 0)
|
|
{
|
|
// Ignore all other errors and pass back
|
|
SaveStatus = SEC_I_NO_LSA_CONTEXT;
|
|
}
|
|
|
|
|
|
CleanUp:
|
|
|
|
if (pContext != NULL)
|
|
{
|
|
Status = DereferenceUserContext(pContext);
|
|
}
|
|
|
|
if (SaveStatus == SEC_I_NO_LSA_CONTEXT)
|
|
{
|
|
Status = SaveStatus;
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpDeleteUserModeContext: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
VOID
|
|
SspRc4Key(
|
|
IN ULONG NegotiateFlags,
|
|
OUT struct RC4_KEYSTRUCT *pRc4Key,
|
|
IN PUCHAR pSessionKey
|
|
)
|
|
/*++
|
|
|
|
RoutineDescription:
|
|
|
|
Create an RC4 key schedule, making sure key length is OK for export
|
|
|
|
Arguments:
|
|
|
|
NegotiateFlags negotiate feature flags; NTLM2 bit is only one looked at
|
|
pRc4Key pointer to RC4 key schedule structure; filled in by this routine
|
|
pSessionKey pointer to session key -- must be full 16 bytes
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
{
|
|
//
|
|
// For NTLM2, effective length was already cut down
|
|
//
|
|
|
|
if ((NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) != 0) {
|
|
|
|
rc4_key(pRc4Key, MSV1_0_USER_SESSION_KEY_LENGTH, pSessionKey);
|
|
|
|
} else if( NegotiateFlags & NTLMSSP_NEGOTIATE_LM_KEY ) {
|
|
UCHAR Key[MSV1_0_LANMAN_SESSION_KEY_LENGTH];
|
|
ULONG KeyLen;
|
|
|
|
ASSERT(MSV1_0_LANMAN_SESSION_KEY_LENGTH == 8);
|
|
|
|
// prior to Win2k, negotiated key strength had no bearing on
|
|
// key size. So, to allow proper interop to NT4, we don't
|
|
// worry about 128bit. 56bit and 40bit are the only supported options.
|
|
// 56bit is enabled because this was introduced in Win2k, and
|
|
// Win2k -> Win2k interops correctly.
|
|
//
|
|
#if 0
|
|
if( NegotiateFlags & NTLMSSP_NEGOTIATE_128 ) {
|
|
KeyLen = 8;
|
|
|
|
} else
|
|
#endif
|
|
if( NegotiateFlags & NTLMSSP_NEGOTIATE_56 ) {
|
|
KeyLen = 7;
|
|
|
|
//
|
|
// Put a well-known salt at the end of the key to
|
|
// limit the changing part to 56 bits.
|
|
//
|
|
|
|
Key[7] = 0xa0;
|
|
} else {
|
|
KeyLen = 5;
|
|
|
|
//
|
|
// Put a well-known salt at the end of the key to
|
|
// limit the changing part to 40 bits.
|
|
//
|
|
|
|
Key[5] = 0xe5;
|
|
Key[6] = 0x38;
|
|
Key[7] = 0xb0;
|
|
}
|
|
|
|
RtlCopyMemory(Key,pSessionKey,KeyLen);
|
|
|
|
SspPrint(( SSP_SESSION_KEYS, "Non NTLMv2 LM_KEY session key size: %lu key=%lx%lx\n",
|
|
KeyLen,
|
|
((DWORD*)Key)[0],
|
|
((DWORD*)Key)[1]
|
|
));
|
|
|
|
rc4_key(pRc4Key, MSV1_0_LANMAN_SESSION_KEY_LENGTH, Key);
|
|
|
|
} else {
|
|
|
|
SspPrint(( SSP_SESSION_KEYS, "Non NTLMv2 (not LM_KEY) session key size: %lu\n", 16));
|
|
rc4_key(pRc4Key, MSV1_0_USER_SESSION_KEY_LENGTH, pSessionKey);
|
|
}
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpInitUserModeContext
|
|
//
|
|
// Synopsis: Creates a user-mode context from a packed LSA mode context
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ContextHandle - Lsa mode context handle for the context
|
|
// PackedContext - A marshalled buffer containing the LSA
|
|
// mode context.
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS or STATUS_INSUFFICIENT_RESOURCES
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpInitUserModeContext(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN PSecBuffer PackedContext
|
|
)
|
|
{
|
|
ASSERT(PackedContext);
|
|
|
|
|
|
SspPrint(( SSP_API, "Entering SpInitUserModeContext 0x%lx\n", ContextHandle ));
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PNTLM_CLIENT_CONTEXT pContext = NULL;
|
|
UINT Length = 0;
|
|
PNTLM_PACKED_CONTEXT pTmpContext = (PNTLM_PACKED_CONTEXT) PackedContext->pvBuffer;
|
|
ULONG ListIndex;
|
|
ULONG LockIndex;
|
|
|
|
if (PackedContext->cbBuffer < sizeof(NTLM_PACKED_CONTEXT))
|
|
{
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
SspPrint(( SSP_CRITICAL, "SpInitUserModeContext, ContextData size < NTLM_CLIENT_CONTEXT\n" ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
pContext = (PNTLM_CLIENT_CONTEXT) NtLmAllocate( sizeof(NTLM_CLIENT_CONTEXT) );
|
|
|
|
if (!pContext)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
SspPrint(( SSP_CRITICAL, "SpInitUserModeContext, NtLmAllocate returns NULL\n" ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// If ClientTokenHandle is NULL, we are being called as
|
|
// as an effect of InitializeSecurityContext, else we are
|
|
// being called because of AcceptSecurityContext
|
|
//
|
|
|
|
if (pTmpContext->ClientTokenHandle != NULL )
|
|
{
|
|
pContext->ClientTokenHandle = (HANDLE) ULongToPtr(pTmpContext->ClientTokenHandle);
|
|
if (FAILED(SspCreateTokenDacl(pContext->ClientTokenHandle)))
|
|
{
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_CRITICAL, "SpInitUserModeContext, SspCreateTokenDacl failed\n" ));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
// Copy contents of PackedContext->pvBuffer to pContext
|
|
|
|
pContext->LsaContext = ContextHandle;
|
|
pContext->NegotiateFlags = pTmpContext->NegotiateFlags;
|
|
|
|
|
|
SspPrint((SSP_NEGOTIATE_FLAGS, "SpInitUserModeContext NegotiateFlags: %lx\n", pContext->NegotiateFlags));
|
|
|
|
pContext->References = 1;
|
|
|
|
|
|
//
|
|
// keep all 128 bits here, so signing can be strong even if encrypt can't be
|
|
//
|
|
|
|
RtlCopyMemory( pContext->SessionKey,
|
|
pTmpContext->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
//
|
|
// if doing full duplex as part of NTLM2, generate different sign
|
|
// and seal keys for each direction
|
|
// all we do is MD5 the base session key with a different magic constant
|
|
//
|
|
|
|
if ( pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2 ) {
|
|
MD5_CTX Md5Context;
|
|
ULONG KeyLen;
|
|
|
|
ASSERT(MD5DIGESTLEN == MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
if( pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_128 )
|
|
KeyLen = 16;
|
|
else if( pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_56 )
|
|
KeyLen = 7;
|
|
else
|
|
KeyLen = 5;
|
|
|
|
SspPrint(( SSP_SESSION_KEYS, "NTLMv2 session key size: %lu\n", KeyLen));
|
|
|
|
//
|
|
// make client to server encryption key
|
|
//
|
|
|
|
MD5Init(&Md5Context);
|
|
MD5Update(&Md5Context, pContext->SessionKey, KeyLen);
|
|
MD5Update(&Md5Context, (unsigned char*)CSSEALMAGIC, sizeof(CSSEALMAGIC));
|
|
MD5Final(&Md5Context);
|
|
|
|
//
|
|
// if TokenHandle == NULL, this is the client side
|
|
// put key in the right place: for client it's seal, for server it's unseal
|
|
//
|
|
|
|
if (pContext->ClientTokenHandle == NULL)
|
|
RtlCopyMemory(pContext->SealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
else
|
|
RtlCopyMemory(pContext->UnsealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
//
|
|
// make server to client encryption key
|
|
//
|
|
|
|
MD5Init(&Md5Context);
|
|
MD5Update(&Md5Context, pContext->SessionKey, KeyLen);
|
|
MD5Update(&Md5Context, (unsigned char*)SCSEALMAGIC, sizeof(SCSEALMAGIC));
|
|
MD5Final(&Md5Context);
|
|
ASSERT(MD5DIGESTLEN == MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
if (pContext->ClientTokenHandle == NULL)
|
|
RtlCopyMemory(pContext->UnsealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
else
|
|
RtlCopyMemory(pContext->SealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
//
|
|
// make client to server signing key -- always 128 bits!
|
|
//
|
|
|
|
MD5Init(&Md5Context);
|
|
MD5Update(&Md5Context, pContext->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
MD5Update(&Md5Context, (unsigned char*)CSSIGNMAGIC, sizeof(CSSIGNMAGIC));
|
|
MD5Final(&Md5Context);
|
|
if (pContext->ClientTokenHandle == NULL)
|
|
RtlCopyMemory(pContext->SignSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
else
|
|
RtlCopyMemory(pContext->VerifySessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
//
|
|
// make server to client signing key
|
|
//
|
|
|
|
MD5Init(&Md5Context);
|
|
MD5Update(&Md5Context, pContext->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
MD5Update(&Md5Context, (unsigned char*)SCSIGNMAGIC, sizeof(SCSIGNMAGIC));
|
|
MD5Final(&Md5Context);
|
|
if (pContext->ClientTokenHandle == NULL)
|
|
RtlCopyMemory(pContext->VerifySessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
else
|
|
RtlCopyMemory(pContext->SignSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
//
|
|
// set pointers to different key schedule and nonce for each direction
|
|
// key schedule will be filled in later...
|
|
//
|
|
|
|
pContext->pSealRc4Sched = &pContext->SealRc4Sched;
|
|
pContext->pUnsealRc4Sched = &pContext->UnsealRc4Sched;
|
|
pContext->pSendNonce = &pContext->SendNonce;
|
|
pContext->pRecvNonce = &pContext->RecvNonce;
|
|
} else {
|
|
|
|
//
|
|
// just copy session key to all four keys
|
|
// leave them 128 bits -- they get cut to 40 bits later
|
|
//
|
|
|
|
RtlCopyMemory( pContext->SealSessionKey,
|
|
pContext->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
RtlCopyMemory( pContext->UnsealSessionKey,
|
|
pContext->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
RtlCopyMemory( pContext->SignSessionKey,
|
|
pContext->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
RtlCopyMemory( pContext->VerifySessionKey,
|
|
pContext->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
//
|
|
// set pointers to share a key schedule and nonce for each direction
|
|
// (OK because half duplex!)
|
|
//
|
|
|
|
pContext->pSealRc4Sched = &pContext->SealRc4Sched;
|
|
pContext->pUnsealRc4Sched = &pContext->SealRc4Sched;
|
|
pContext->pSendNonce = &pContext->SendNonce;
|
|
pContext->pRecvNonce = &pContext->SendNonce;
|
|
}
|
|
|
|
if ( pTmpContext->ContextNames )
|
|
{
|
|
pContext->ContextNames = (PWSTR) NtLmAllocate( pTmpContext->ContextNameLength );
|
|
|
|
if ( pContext->ContextNames == NULL )
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES ;
|
|
goto Cleanup ;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
pContext->ContextNames,
|
|
((PUCHAR) pTmpContext) + pTmpContext->ContextNames,
|
|
pTmpContext->ContextNameLength );
|
|
}
|
|
else
|
|
{
|
|
pContext->ContextNames = NULL ;
|
|
}
|
|
|
|
pContext->SendNonce = pTmpContext->SendNonce;
|
|
pContext->RecvNonce = pTmpContext->RecvNonce;
|
|
|
|
SspRc4Key(pContext->NegotiateFlags, &pContext->SealRc4Sched, pContext->SealSessionKey);
|
|
SspRc4Key(pContext->NegotiateFlags, &pContext->UnsealRc4Sched, pContext->UnsealSessionKey);
|
|
|
|
|
|
pContext->PasswordExpiry = pTmpContext->PasswordExpiry;
|
|
pContext->UserFlags = pTmpContext->UserFlags;
|
|
|
|
|
|
ListIndex = HandleToListIndex( pContext->LsaContext );
|
|
LockIndex = ListIndexToLockIndex( ListIndex );
|
|
|
|
RtlAcquireResourceExclusive(&NtLmUserContextLock[LockIndex], TRUE);
|
|
|
|
InsertHeadList ( &NtLmUserContextList[ListIndex], &pContext->Next );
|
|
NtLmUserContextCount[ListIndex]++;
|
|
|
|
RtlReleaseResource(&NtLmUserContextLock[LockIndex]);
|
|
|
|
|
|
Cleanup:
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
if (pContext != NULL)
|
|
{
|
|
FreeUserContext(pContext);
|
|
}
|
|
}
|
|
|
|
// Let FreeContextBuffer handle freeing the virtual allocs
|
|
|
|
if (PackedContext->pvBuffer != NULL)
|
|
{
|
|
FreeContextBuffer(PackedContext->pvBuffer);
|
|
PackedContext->pvBuffer = NULL;
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpInitUserModeContext: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
//
|
|
// Bogus add-shift check sum
|
|
//
|
|
|
|
void
|
|
SspGenCheckSum(
|
|
IN PSecBuffer pMessage,
|
|
OUT PNTLMSSP_MESSAGE_SIGNATURE pSig
|
|
)
|
|
|
|
/*++
|
|
|
|
RoutineDescription:
|
|
|
|
Generate a crc-32 checksum for a buffer
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
|
|
routine SspGenCheckSum. It's possible that
|
|
bugs got copied too
|
|
|
|
--*/
|
|
|
|
{
|
|
Crc32(pSig->CheckSum,pMessage->cbBuffer,pMessage->pvBuffer,&pSig->CheckSum);
|
|
}
|
|
|
|
|
|
VOID
|
|
SspEncryptBuffer(
|
|
IN PNTLM_CLIENT_CONTEXT pContext,
|
|
IN struct RC4_KEYSTRUCT * pRc4Key,
|
|
IN ULONG BufferSize,
|
|
IN OUT PVOID Buffer
|
|
)
|
|
|
|
/*++
|
|
|
|
RoutineDescription:
|
|
|
|
Encrypts a buffer with the RC4 key in the context. If the context
|
|
is for a datagram session, then the key is copied before being used
|
|
to encrypt the buffer.
|
|
|
|
Arguments:
|
|
|
|
pContext - Context containing the key to encrypt the data
|
|
|
|
BufferSize - Length of buffer in bytes
|
|
|
|
Buffer - Buffer to encrypt.
|
|
Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
|
|
routine SspEncryptBuffer. It's possible that
|
|
bugs got copied too
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
|
|
{
|
|
struct RC4_KEYSTRUCT TemporaryKey;
|
|
/// struct RC4_KEYSTRUCT * EncryptionKey = &pContext->Rc4Key;
|
|
struct RC4_KEYSTRUCT * EncryptionKey = pRc4Key;
|
|
|
|
if (BufferSize == 0)
|
|
{
|
|
return;
|
|
}
|
|
|
|
//
|
|
// For datagram (application supplied sequence numbers) before NTLM2
|
|
// we used to copy the key before encrypting so we don't
|
|
// have a changing key; but that reused the key stream. Now we only
|
|
// do that when backwards compatibility is explicitly called for.
|
|
//
|
|
|
|
if (((pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) != 0) &&
|
|
((pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) == 0) ) {
|
|
|
|
RtlCopyMemory(
|
|
&TemporaryKey,
|
|
EncryptionKey,
|
|
sizeof(struct RC4_KEYSTRUCT)
|
|
);
|
|
EncryptionKey = &TemporaryKey;
|
|
|
|
}
|
|
|
|
rc4(
|
|
EncryptionKey,
|
|
BufferSize,
|
|
(PUCHAR) Buffer
|
|
);
|
|
}
|
|
|
|
|
|
typedef enum _eSignSealOp {
|
|
eSign, // MakeSignature is calling
|
|
eVerify, // VerifySignature is calling
|
|
eSeal, // SealMessage is calling
|
|
eUnseal // UnsealMessage is calling
|
|
} eSignSealOp;
|
|
|
|
SECURITY_STATUS
|
|
SspSignSealHelper(
|
|
IN PNTLM_CLIENT_CONTEXT pContext,
|
|
IN eSignSealOp Op,
|
|
IN OUT PSecBufferDesc pMessage,
|
|
IN ULONG MessageSeqNo,
|
|
OUT PNTLMSSP_MESSAGE_SIGNATURE pSig,
|
|
OUT PNTLMSSP_MESSAGE_SIGNATURE * ppSig
|
|
)
|
|
/*++
|
|
|
|
RoutineDescription:
|
|
|
|
Handle signing a message
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
|
|
{
|
|
|
|
HMACMD5_CTX HMACMD5Context;
|
|
UCHAR TempSig[MD5DIGESTLEN];
|
|
NTLMSSP_MESSAGE_SIGNATURE Sig;
|
|
int Signature;
|
|
ULONG i;
|
|
PUCHAR pKey; // ptr to key to use for encryption
|
|
PUCHAR pSignKey; // ptr to key to use for signing
|
|
PULONG pNonce; // ptr to nonce to use
|
|
struct RC4_KEYSTRUCT * pRc4Sched; // ptr to key schedule to use
|
|
|
|
NTLMSSP_MESSAGE_SIGNATURE AlignedSig; // aligned copy of input sig data
|
|
|
|
|
|
|
|
Signature = -1;
|
|
for (i = 0; i < pMessage->cBuffers; i++)
|
|
{
|
|
if ((pMessage->pBuffers[i].BufferType & 0xFF) == SECBUFFER_TOKEN)
|
|
{
|
|
Signature = i;
|
|
break;
|
|
}
|
|
}
|
|
if (Signature == -1)
|
|
{
|
|
return(SEC_E_INVALID_TOKEN);
|
|
}
|
|
|
|
if (pMessage->pBuffers[Signature].cbBuffer < NTLMSSP_MESSAGE_SIGNATURE_SIZE)
|
|
{
|
|
return(SEC_E_INVALID_TOKEN);
|
|
}
|
|
|
|
*ppSig = (NTLMSSP_MESSAGE_SIGNATURE*)pMessage->pBuffers[Signature].pvBuffer;
|
|
|
|
RtlCopyMemory( &AlignedSig, *ppSig, sizeof(AlignedSig) );
|
|
|
|
//
|
|
// If sequence detect wasn't requested, put on an empty
|
|
// security token . Don't do the check if Seal/Unseal is called.
|
|
//
|
|
|
|
if (!(pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) &&
|
|
(Op == eSign || Op == eVerify))
|
|
{
|
|
RtlZeroMemory(pSig,NTLMSSP_MESSAGE_SIGNATURE_SIZE);
|
|
pSig->Version = NTLM_SIGN_VERSION;
|
|
return(SEC_E_OK);
|
|
}
|
|
|
|
// figure out which key, key schedule, and nonce to use
|
|
// depends on the op. SspAddLocalContext set up so that code on client
|
|
// and server just (un)seals with (un)seal key or key schedule, etc.
|
|
// and also sets pointers to share sending/receiving key schedule/nonce
|
|
// when in half duplex mode. Hence, this code gets to act as if it were
|
|
// always in full duplex mode.
|
|
switch (Op) {
|
|
case eSeal:
|
|
pSignKey = pContext->SignSessionKey; // if NTLM2
|
|
pKey = pContext->SealSessionKey;
|
|
pRc4Sched = pContext->pSealRc4Sched;
|
|
pNonce = pContext->pSendNonce;
|
|
break;
|
|
case eUnseal:
|
|
pSignKey = pContext->VerifySessionKey; // if NTLM2
|
|
pKey = pContext->UnsealSessionKey;
|
|
pRc4Sched = pContext->pUnsealRc4Sched;
|
|
pNonce = pContext->pRecvNonce;
|
|
break;
|
|
case eSign:
|
|
pSignKey = pContext->SignSessionKey; // if NTLM2
|
|
pKey = pContext->SealSessionKey; // might be used to encrypt the signature
|
|
pRc4Sched = pContext->pSealRc4Sched;
|
|
pNonce = pContext->pSendNonce;
|
|
break;
|
|
case eVerify:
|
|
pSignKey = pContext->VerifySessionKey; // if NTLM2
|
|
pKey = pContext->UnsealSessionKey; // might be used to decrypt the signature
|
|
pRc4Sched = pContext->pUnsealRc4Sched;
|
|
pNonce = pContext->pRecvNonce;
|
|
break;
|
|
}
|
|
|
|
//
|
|
// Either we can supply the sequence number, or
|
|
// the application can supply the message sequence number.
|
|
//
|
|
|
|
Sig.Version = NTLM_SIGN_VERSION;
|
|
|
|
// if we're doing the new NTLM2 version:
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) {
|
|
|
|
if ((pContext->NegotiateFlags & NTLMSSP_APP_SEQ) == 0)
|
|
{
|
|
Sig.Nonce = *pNonce; // use our sequence number
|
|
(*pNonce) += 1;
|
|
}
|
|
else {
|
|
|
|
if (Op == eSeal || Op == eSign || MessageSeqNo != 0)
|
|
Sig.Nonce = MessageSeqNo;
|
|
else
|
|
Sig.Nonce = AlignedSig.Nonce;
|
|
|
|
// if using RC4, must rekey for each packet
|
|
// RC4 is used for seal, unseal; and for encrypting the HMAC hash if
|
|
// key exchange was negotiated (we use just HMAC if no key exchange,
|
|
// so that a good signing option exists with no RC4 encryption needed)
|
|
|
|
if (Op == eSeal || Op == eUnseal || pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH)
|
|
{
|
|
MD5_CTX Md5ContextReKey;
|
|
|
|
MD5Init(&Md5ContextReKey);
|
|
MD5Update(&Md5ContextReKey, pKey, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
MD5Update(&Md5ContextReKey, (unsigned char*)&Sig.Nonce, sizeof(Sig.Nonce));
|
|
MD5Final(&Md5ContextReKey);
|
|
ASSERT(MD5DIGESTLEN == MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
SspRc4Key(pContext->NegotiateFlags, pRc4Sched, Md5ContextReKey.digest);
|
|
}
|
|
}
|
|
|
|
//
|
|
// using HMAC hash, init it with the key
|
|
//
|
|
|
|
HMACMD5Init(&HMACMD5Context, pSignKey, MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
//
|
|
// include the message sequence number
|
|
//
|
|
|
|
HMACMD5Update(&HMACMD5Context, (unsigned char*)&Sig.Nonce, sizeof(Sig.Nonce));
|
|
|
|
for (i = 0; i < pMessage->cBuffers ; i++ )
|
|
{
|
|
if (((pMessage->pBuffers[i].BufferType & 0xFF) == SECBUFFER_DATA) &&
|
|
(pMessage->pBuffers[i].cbBuffer != 0))
|
|
{
|
|
// decrypt (before checksum...) if it's not READ_ONLY
|
|
if ((Op==eUnseal)
|
|
&& !(pMessage->pBuffers[i].BufferType & SECBUFFER_READONLY)
|
|
)
|
|
{
|
|
SspEncryptBuffer(
|
|
pContext,
|
|
pRc4Sched,
|
|
pMessage->pBuffers[i].cbBuffer,
|
|
pMessage->pBuffers[i].pvBuffer
|
|
);
|
|
}
|
|
|
|
HMACMD5Update(
|
|
&HMACMD5Context,
|
|
(unsigned char*)pMessage->pBuffers[i].pvBuffer,
|
|
pMessage->pBuffers[i].cbBuffer);
|
|
|
|
//
|
|
// Encrypt if its not READ_ONLY
|
|
//
|
|
|
|
if ((Op==eSeal)
|
|
&& !(pMessage->pBuffers[i].BufferType & SECBUFFER_READONLY)
|
|
)
|
|
{
|
|
SspEncryptBuffer(
|
|
pContext,
|
|
pRc4Sched,
|
|
pMessage->pBuffers[i].cbBuffer,
|
|
pMessage->pBuffers[i].pvBuffer
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
HMACMD5Final(&HMACMD5Context, TempSig);
|
|
|
|
//
|
|
// use RandomPad and Checksum fields for 8 bytes of MD5 hash
|
|
//
|
|
|
|
RtlCopyMemory(&Sig.RandomPad, TempSig, 8);
|
|
|
|
//
|
|
// if we're using crypto for KEY_EXCH, may as well use it for signing too...
|
|
//
|
|
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH)
|
|
SspEncryptBuffer(
|
|
pContext,
|
|
pRc4Sched,
|
|
8,
|
|
&Sig.RandomPad
|
|
);
|
|
}
|
|
//
|
|
// pre-NTLM2 methods
|
|
//
|
|
else {
|
|
|
|
//
|
|
// required by CRC-32 algorithm
|
|
//
|
|
Sig.CheckSum = 0xffffffff;
|
|
|
|
for (i = 0; i < pMessage->cBuffers ; i++ )
|
|
{
|
|
if (((pMessage->pBuffers[i].BufferType & 0xFF) == SECBUFFER_DATA) &&
|
|
!(pMessage->pBuffers[i].BufferType & SECBUFFER_READONLY) &&
|
|
(pMessage->pBuffers[i].cbBuffer != 0))
|
|
{
|
|
// decrypt (before checksum...)
|
|
if (Op==eUnseal)
|
|
{
|
|
SspEncryptBuffer(
|
|
pContext,
|
|
pRc4Sched,
|
|
pMessage->pBuffers[i].cbBuffer,
|
|
pMessage->pBuffers[i].pvBuffer
|
|
);
|
|
}
|
|
|
|
SspGenCheckSum(&pMessage->pBuffers[i], &Sig);
|
|
|
|
|
|
// Encrypt
|
|
if (Op==eSeal)
|
|
{
|
|
SspEncryptBuffer(
|
|
pContext,
|
|
pRc4Sched,
|
|
pMessage->pBuffers[i].cbBuffer,
|
|
pMessage->pBuffers[i].pvBuffer
|
|
);
|
|
}
|
|
}
|
|
}
|
|
|
|
//
|
|
// Required by CRC-32 algorithm
|
|
//
|
|
|
|
Sig.CheckSum ^= 0xffffffff;
|
|
|
|
// when we encrypt 0, we will get the cipher stream for the nonce!
|
|
Sig.Nonce = 0;
|
|
|
|
SspEncryptBuffer(
|
|
pContext,
|
|
pRc4Sched,
|
|
sizeof(NTLMSSP_MESSAGE_SIGNATURE) - sizeof(ULONG),
|
|
&Sig.RandomPad
|
|
);
|
|
|
|
if ((pContext->NegotiateFlags & NTLMSSP_APP_SEQ) == 0)
|
|
{
|
|
Sig.Nonce ^= *pNonce; // use our sequence number and encrypt it
|
|
(*pNonce) += 1;
|
|
}
|
|
else if (Op == eSeal || Op == eSign || MessageSeqNo != 0)
|
|
Sig.Nonce ^= MessageSeqNo; // use caller's sequence number and encrypt it
|
|
else
|
|
Sig.Nonce = AlignedSig.Nonce; // use sender's sequence number
|
|
|
|
//
|
|
// for SignMessage calling, does nothing (copies garbage)
|
|
// For VerifyMessage calling, allows it to compare sig block
|
|
// upon return to Verify without knowing whether its MD5 or CRC32
|
|
//
|
|
|
|
Sig.RandomPad = AlignedSig.RandomPad;
|
|
}
|
|
|
|
pMessage->pBuffers[Signature].cbBuffer = sizeof(NTLMSSP_MESSAGE_SIGNATURE);
|
|
|
|
RtlCopyMemory(
|
|
pSig,
|
|
&Sig,
|
|
NTLMSSP_MESSAGE_SIGNATURE_SIZE
|
|
);
|
|
|
|
return(SEC_E_OK);
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpMakeSignature
|
|
//
|
|
// Synopsis: Signs a message buffer by calculatinga checksum over all
|
|
// the non-read only data buffers and encrypting the checksum
|
|
// along with a nonce.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ContextHandle - Handle of the context to use to sign the
|
|
// message.
|
|
// QualityOfProtection - Unused flags.
|
|
// MessageBuffers - Contains an array of buffers to sign and
|
|
// to store the signature.
|
|
// MessageSequenceNumber - Sequence number for this message,
|
|
// only used in datagram cases.
|
|
//
|
|
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
|
|
// was not configured for message integrity.
|
|
// STATUS_INVALID_PARAMETER - the signature buffer could not
|
|
// be found.
|
|
// STATUS_BUFFER_TOO_SMALL - the signature buffer is too small
|
|
// to hold the signature
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
|
|
// routine SspHandleSignMessage. It's possible that
|
|
// bugs got copied too
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpMakeSignature(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN ULONG fQOP,
|
|
IN PSecBufferDesc pMessage,
|
|
IN ULONG MessageSeqNo
|
|
)
|
|
{
|
|
SspPrint(( SSP_API, "Entering SpMakeSignature\n" ));
|
|
NTSTATUS Status = S_OK;
|
|
NTSTATUS SubStatus = S_OK;
|
|
|
|
PNTLM_CLIENT_CONTEXT pContext;
|
|
NTLMSSP_MESSAGE_SIGNATURE Sig;
|
|
NTLMSSP_MESSAGE_SIGNATURE *pSig;
|
|
|
|
UNREFERENCED_PARAMETER(fQOP);
|
|
|
|
pContext = ReferenceUserContext(ContextHandle, FALSE);
|
|
|
|
if (pContext == NULL)
|
|
{
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_CRITICAL, "SpMakeSignature, ReferenceUserContext returns NULL\n" ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
|
|
Status = SspSignSealHelper(
|
|
pContext,
|
|
eSign,
|
|
pMessage,
|
|
MessageSeqNo,
|
|
&Sig,
|
|
&pSig
|
|
);
|
|
|
|
if( !NT_SUCCESS(Status) ) {
|
|
SspPrint(( SSP_CRITICAL, "SpMakeSignature, SspSignSealHelper returns %lx\n", Status ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
pSig,
|
|
&Sig,
|
|
NTLMSSP_MESSAGE_SIGNATURE_SIZE
|
|
);
|
|
|
|
|
|
CleanUp:
|
|
|
|
if (pContext != NULL)
|
|
{
|
|
SubStatus = DereferenceUserContext(pContext);
|
|
|
|
// Don't destroy real status
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = SubStatus;
|
|
}
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpMakeSignature: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpVerifySignature
|
|
//
|
|
// Synopsis: Verifies a signed message buffer by calculating a checksum over all
|
|
// the non-read only data buffers and encrypting the checksum
|
|
// along with a nonce.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ContextHandle - Handle of the context to use to sign the
|
|
// message.
|
|
// MessageBuffers - Contains an array of signed buffers and
|
|
// a signature buffer.
|
|
// MessageSequenceNumber - Sequence number for this message,
|
|
// only used in datagram cases.
|
|
// QualityOfProtection - Unused flags.
|
|
//
|
|
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
|
|
// was not configured for message integrity.
|
|
// STATUS_INVALID_PARAMETER - the signature buffer could not
|
|
// be found or was too small.
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
|
|
// routine SspHandleVerifyMessage. It's possible that
|
|
// bugs got copied too
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpVerifySignature(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN PSecBufferDesc pMessage,
|
|
IN ULONG MessageSeqNo,
|
|
OUT PULONG pfQOP
|
|
)
|
|
{
|
|
SspPrint(( SSP_API, "Entering SpVerifySignature\n" ));
|
|
NTSTATUS Status = S_OK;
|
|
NTSTATUS SubStatus = S_OK;
|
|
PNTLM_CLIENT_CONTEXT pContext;
|
|
NTLMSSP_MESSAGE_SIGNATURE Sig;
|
|
PNTLMSSP_MESSAGE_SIGNATURE pSig; // pointer to buffer with sig in it
|
|
NTLMSSP_MESSAGE_SIGNATURE AlignedSig; // Aligned sig buffer.
|
|
|
|
UNREFERENCED_PARAMETER(pfQOP);
|
|
|
|
pContext = ReferenceUserContext(ContextHandle, FALSE);
|
|
|
|
if (!pContext)
|
|
{
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_CRITICAL, "SpVerifySignature, ReferenceUserContext returns NULL\n" ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
Status = SspSignSealHelper(
|
|
pContext,
|
|
eVerify,
|
|
pMessage,
|
|
MessageSeqNo,
|
|
&Sig,
|
|
&pSig
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpVerifySignature, SspSignSealHelper returns %lx\n", Status ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
|
|
RtlCopyMemory( &AlignedSig, pSig, sizeof( AlignedSig ) );
|
|
|
|
if (AlignedSig.Version != NTLM_SIGN_VERSION) {
|
|
SspPrint(( SSP_CRITICAL, "SpVerifySignature, unknown Version wanted=%lx got=%lx\n",
|
|
NTLM_SIGN_VERSION,
|
|
AlignedSig.Version
|
|
));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto CleanUp;
|
|
}
|
|
|
|
// validate the signature...
|
|
if (AlignedSig.CheckSum != Sig.CheckSum)
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpVerifySignature, CheckSum mis-match wanted=%lx got=%lx\n",
|
|
Sig.CheckSum,
|
|
AlignedSig.CheckSum
|
|
));
|
|
Status = SEC_E_MESSAGE_ALTERED;
|
|
goto CleanUp;
|
|
}
|
|
|
|
// with MD5 sig, this now matters!
|
|
if (AlignedSig.RandomPad != Sig.RandomPad)
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpVerifySignature, RandomPad mis-match wanted=%lx got=%lx\n",
|
|
Sig.RandomPad,
|
|
AlignedSig.RandomPad
|
|
));
|
|
Status = SEC_E_MESSAGE_ALTERED;
|
|
goto CleanUp;
|
|
}
|
|
|
|
if (AlignedSig.Nonce != Sig.Nonce)
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpVerifySignature, Nonce mis-match wanted=%lx got=%lx\n",
|
|
Sig.Nonce,
|
|
AlignedSig.Nonce
|
|
));
|
|
|
|
Status = SEC_E_OUT_OF_SEQUENCE;
|
|
goto CleanUp;
|
|
}
|
|
|
|
|
|
CleanUp:
|
|
|
|
if (pContext != NULL)
|
|
{
|
|
SubStatus = DereferenceUserContext(pContext);
|
|
|
|
// Don't destroy real status
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = SubStatus;
|
|
}
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpVerifySignature: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpSealMessage
|
|
//
|
|
// Synopsis: Verifies a signed message buffer by calculating a checksum over all
|
|
// the non-read only data buffers and encrypting the checksum
|
|
// along with a nonce.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ContextHandle - Handle of the context to use to sign the
|
|
// message.
|
|
// MessageBuffers - Contains an array of signed buffers and
|
|
// a signature buffer.
|
|
// MessageSequenceNumber - Sequence number for this message,
|
|
// only used in datagram cases.
|
|
// QualityOfProtection - Unused flags.
|
|
//
|
|
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
|
|
// was not configured for message integrity.
|
|
// STATUS_INVALID_PARAMETER - the signature buffer could not
|
|
// be found or was too small.
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
|
|
// routine SspHandleSealMessage. It's possible that
|
|
// bugs got copied too
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS NTAPI
|
|
SpSealMessage(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN ULONG fQOP,
|
|
IN PSecBufferDesc pMessage,
|
|
IN ULONG MessageSeqNo
|
|
)
|
|
{
|
|
SspPrint(( SSP_API, "Entering SpSealMessage\n" ));
|
|
NTSTATUS Status = S_OK;
|
|
NTSTATUS SubStatus = S_OK;
|
|
PNTLM_CLIENT_CONTEXT pContext;
|
|
NTLMSSP_MESSAGE_SIGNATURE Sig;
|
|
PNTLMSSP_MESSAGE_SIGNATURE pSig; // pointer to buffer where sig goes
|
|
|
|
ULONG i;
|
|
|
|
UNREFERENCED_PARAMETER(fQOP);
|
|
|
|
pContext = ReferenceUserContext(ContextHandle, FALSE);
|
|
|
|
if (!pContext)
|
|
{
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_CRITICAL, "SpSealMessage, ReferenceUserContext returns NULL\n" ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
|
|
Status = SspSignSealHelper(
|
|
pContext,
|
|
eSeal,
|
|
pMessage,
|
|
MessageSeqNo,
|
|
&Sig,
|
|
&pSig
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpVerifySignature, SspSignSealHelper returns %lx\n", Status ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
pSig,
|
|
&Sig,
|
|
NTLMSSP_MESSAGE_SIGNATURE_SIZE
|
|
);
|
|
|
|
|
|
//
|
|
// for gss style sign/seal, strip the padding as RC4 requires none.
|
|
// (in fact, we rely on this to simplify the size computation in DecryptMessage).
|
|
// if we support some other block cipher, need to rev the NTLM_ token version to make blocksize
|
|
//
|
|
|
|
for (i = 0; i < pMessage->cBuffers; i++)
|
|
{
|
|
if ((pMessage->pBuffers[i].BufferType & 0xFF) == SECBUFFER_PADDING)
|
|
{
|
|
//
|
|
// no padding required!
|
|
//
|
|
|
|
pMessage->pBuffers[i].cbBuffer = 0;
|
|
break;
|
|
}
|
|
}
|
|
|
|
|
|
CleanUp:
|
|
|
|
if (pContext != NULL)
|
|
{
|
|
SubStatus = DereferenceUserContext(pContext);
|
|
|
|
// Don't destroy real status
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = SubStatus;
|
|
}
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpSealMessage: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpUnsealMessage
|
|
//
|
|
// Synopsis: Verifies a signed message buffer by calculating a checksum over all
|
|
// the non-read only data buffers and encrypting the checksum
|
|
// along with a nonce.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: ContextHandle - Handle of the context to use to sign the
|
|
// message.
|
|
// MessageBuffers - Contains an array of signed buffers and
|
|
// a signature buffer.
|
|
// MessageSequenceNumber - Sequence number for this message,
|
|
// only used in datagram cases.
|
|
// QualityOfProtection - Unused flags.
|
|
//
|
|
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
|
|
// was not configured for message integrity.
|
|
// STATUS_INVALID_PARAMETER - the signature buffer could not
|
|
// be found or was too small.
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
|
|
// routine SspHandleUnsealMessage. It's possible that
|
|
// bugs got copied too
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpUnsealMessage(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN PSecBufferDesc pMessage,
|
|
IN ULONG MessageSeqNo,
|
|
OUT PULONG pfQOP
|
|
)
|
|
{
|
|
SspPrint(( SSP_API, "Entering SpUnsealMessage\n" ));
|
|
NTSTATUS Status = S_OK;
|
|
NTSTATUS SubStatus = S_OK;
|
|
PNTLM_CLIENT_CONTEXT pContext;
|
|
NTLMSSP_MESSAGE_SIGNATURE Sig;
|
|
PNTLMSSP_MESSAGE_SIGNATURE pSig; // pointer to buffer where sig goes
|
|
NTLMSSP_MESSAGE_SIGNATURE AlignedSig; // aligned buffer.
|
|
|
|
PSecBufferDesc MessageBuffers = pMessage;
|
|
ULONG Index;
|
|
PSecBuffer SignatureBuffer = NULL;
|
|
PSecBuffer StreamBuffer = NULL;
|
|
PSecBuffer DataBuffer = NULL;
|
|
SecBufferDesc ProcessBuffers;
|
|
SecBuffer wrap_bufs[2];
|
|
|
|
UNREFERENCED_PARAMETER(pfQOP);
|
|
|
|
pContext = ReferenceUserContext(ContextHandle, FALSE);
|
|
|
|
if (!pContext)
|
|
{
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, ReferenceUserContext returns NULL\n" ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
|
|
//
|
|
// Find the body and signature SecBuffers from pMessage
|
|
//
|
|
|
|
for (Index = 0; Index < MessageBuffers->cBuffers ; Index++ )
|
|
{
|
|
if ((MessageBuffers->pBuffers[Index].BufferType & ~SECBUFFER_ATTRMASK) == SECBUFFER_TOKEN)
|
|
{
|
|
SignatureBuffer = &MessageBuffers->pBuffers[Index];
|
|
}
|
|
else if ((MessageBuffers->pBuffers[Index].BufferType & ~SECBUFFER_ATTRMASK) == SECBUFFER_STREAM)
|
|
{
|
|
StreamBuffer = &MessageBuffers->pBuffers[Index];
|
|
}
|
|
else if ((MessageBuffers->pBuffers[Index].BufferType & ~SECBUFFER_ATTRMASK) == SECBUFFER_DATA)
|
|
{
|
|
DataBuffer = &MessageBuffers->pBuffers[Index];
|
|
}
|
|
}
|
|
|
|
if( StreamBuffer != NULL )
|
|
{
|
|
|
|
if( SignatureBuffer != NULL )
|
|
{
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, Both stream and signature buffer present.\n"));
|
|
goto CleanUp;
|
|
}
|
|
|
|
//
|
|
// for version 1 NTLM blobs, padding is never present, since RC4 is stream cipher.
|
|
//
|
|
|
|
wrap_bufs[0].cbBuffer = NTLMSSP_MESSAGE_SIGNATURE_SIZE;
|
|
wrap_bufs[1].cbBuffer = StreamBuffer->cbBuffer - NTLMSSP_MESSAGE_SIGNATURE_SIZE;
|
|
|
|
if( StreamBuffer->cbBuffer < wrap_bufs[0].cbBuffer )
|
|
{
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, invalid buffer present in STREAM.\n"));
|
|
goto CleanUp;
|
|
}
|
|
|
|
|
|
wrap_bufs[0].BufferType = SECBUFFER_TOKEN;
|
|
wrap_bufs[0].pvBuffer = StreamBuffer->pvBuffer;
|
|
|
|
wrap_bufs[1].BufferType = SECBUFFER_DATA;
|
|
wrap_bufs[1].pvBuffer = (PBYTE)wrap_bufs[0].pvBuffer + wrap_bufs[0].cbBuffer;
|
|
|
|
if( DataBuffer == NULL )
|
|
{
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, gss missing SECBUFFER_DATA.\n"));
|
|
goto CleanUp;
|
|
}
|
|
|
|
DataBuffer->cbBuffer = wrap_bufs[1].cbBuffer;
|
|
DataBuffer->pvBuffer = wrap_bufs[1].pvBuffer;
|
|
|
|
ProcessBuffers.cBuffers = 2;
|
|
ProcessBuffers.pBuffers = wrap_bufs;
|
|
ProcessBuffers.ulVersion = SECBUFFER_VERSION;
|
|
|
|
} else {
|
|
ProcessBuffers = *MessageBuffers;
|
|
}
|
|
|
|
Status = SspSignSealHelper(
|
|
pContext,
|
|
eUnseal,
|
|
&ProcessBuffers,
|
|
MessageSeqNo,
|
|
&Sig,
|
|
&pSig
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, SspSignSealHelper returns %lx\n", Status ));
|
|
goto CleanUp;
|
|
}
|
|
|
|
RtlCopyMemory( &AlignedSig, pSig, sizeof(AlignedSig) );
|
|
|
|
if (AlignedSig.Version != NTLM_SIGN_VERSION) {
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, unknown Version wanted=%lx got=%lx\n",
|
|
NTLM_SIGN_VERSION,
|
|
AlignedSig.Version
|
|
));
|
|
Status = SEC_E_INVALID_TOKEN;
|
|
goto CleanUp;
|
|
}
|
|
|
|
// validate the signature...
|
|
if (AlignedSig.CheckSum != Sig.CheckSum)
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, CheckSum mis-match wanted=%lx got=%lx\n",
|
|
Sig.CheckSum,
|
|
AlignedSig.CheckSum
|
|
));
|
|
Status = SEC_E_MESSAGE_ALTERED;
|
|
goto CleanUp;
|
|
}
|
|
|
|
if (AlignedSig.RandomPad != Sig.RandomPad)
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, RandomPad mis-match wanted=%lx got=%lx\n",
|
|
Sig.RandomPad,
|
|
AlignedSig.RandomPad
|
|
));
|
|
Status = SEC_E_MESSAGE_ALTERED;
|
|
goto CleanUp;
|
|
}
|
|
|
|
if (AlignedSig.Nonce != Sig.Nonce)
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SpUnsealMessage, Nonce mis-match wanted=%lx got=%lx\n",
|
|
Sig.Nonce,
|
|
AlignedSig.Nonce
|
|
));
|
|
Status = SEC_E_OUT_OF_SEQUENCE;
|
|
goto CleanUp;
|
|
}
|
|
|
|
CleanUp:
|
|
|
|
if (pContext != NULL)
|
|
{
|
|
SubStatus = DereferenceUserContext(pContext);
|
|
|
|
// Don't destroy real status
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = SubStatus;
|
|
}
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpUnsealMessage: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpGetContextToken
|
|
//
|
|
// Synopsis: returns a pointer to the token for a server-side context
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpGetContextToken(
|
|
IN ULONG_PTR ContextHandle,
|
|
OUT PHANDLE ImpersonationToken
|
|
)
|
|
{
|
|
SspPrint(( SSP_API, "Entering SpGetContextToken\n" ));
|
|
NTSTATUS Status = S_OK;
|
|
PNTLM_CLIENT_CONTEXT pContext;
|
|
|
|
pContext = ReferenceUserContext(ContextHandle, FALSE);
|
|
|
|
if (pContext && pContext->ClientTokenHandle)
|
|
{
|
|
*ImpersonationToken = pContext->ClientTokenHandle;
|
|
Status= S_OK;
|
|
goto CleanUp;
|
|
}
|
|
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_CRITICAL, "SpGetContextToken, no token handle\n" ));
|
|
|
|
CleanUp:
|
|
|
|
if (pContext != NULL)
|
|
{
|
|
Status = DereferenceUserContext(pContext);
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpGetContextToken: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpQueryContextAttributes
|
|
//
|
|
// Synopsis: Querys attributes of the specified context
|
|
// This API allows a customer of the security
|
|
// services to determine certain attributes of
|
|
// the context. These are: sizes, names, and lifespan.
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// ContextHandle - Handle to the context to query.
|
|
//
|
|
// Attribute - Attribute to query.
|
|
//
|
|
// #define SECPKG_ATTR_SIZES 0
|
|
// #define SECPKG_ATTR_NAMES 1
|
|
// #define SECPKG_ATTR_LIFESPAN 2
|
|
//
|
|
// Buffer - Buffer to copy the data into. The buffer must
|
|
// be large enough to fit the queried attribute.
|
|
//
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// STATUS_SUCCESS - Call completed successfully
|
|
//
|
|
// STATUS_INVALID_HANDLE -- Credential/Context Handle is invalid
|
|
// STATUS_NOT_SUPPORTED -- Function code is not supported
|
|
//
|
|
// Notes:
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpQueryContextAttributes(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN ULONG Attribute,
|
|
IN OUT PVOID Buffer
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PNTLM_CLIENT_CONTEXT pContext = NULL;
|
|
PSecPkgContext_Sizes ContextSizes;
|
|
PSecPkgContext_Flags ContextFlags;
|
|
PSecPkgContext_DceInfo ContextDceInfo = NULL;
|
|
PSecPkgContext_Names ContextNames = NULL;
|
|
PSecPkgContext_PackageInfo PackageInfo;
|
|
PSecPkgContext_NegotiationInfo NegInfo ;
|
|
PSecPkgContext_PasswordExpiry PasswordExpires;
|
|
PSecPkgContext_UserFlags UserFlags;
|
|
PSecPkgContext_SessionKey SessionKeyInfo;
|
|
PSecPkgContext_AccessToken AccessToken;
|
|
ULONG PackageInfoSize = 0;
|
|
|
|
SspPrint(( SSP_API, "Entering SpQueryContextAttributes\n" ));
|
|
|
|
pContext = ReferenceUserContext(ContextHandle, FALSE);
|
|
|
|
if (pContext == NULL) {
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_API_MORE, "SpQueryContextAttributes, ReferenceUserContext returns NULL (possible incomplete context)\n" ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Handle each of the various queried attributes
|
|
//
|
|
|
|
SspPrint(( SSP_API_MORE, "SpQueryContextAttributes : 0x%lx\n", Attribute ));
|
|
switch ( Attribute) {
|
|
case SECPKG_ATTR_SIZES:
|
|
|
|
ContextSizes = (PSecPkgContext_Sizes) Buffer;
|
|
ContextSizes->cbMaxToken = NTLMSP_MAX_TOKEN_SIZE;
|
|
|
|
if (pContext->NegotiateFlags & (NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
|
|
NTLMSSP_NEGOTIATE_SIGN |
|
|
NTLMSSP_NEGOTIATE_SEAL) ) {
|
|
ContextSizes->cbMaxSignature = NTLMSSP_MESSAGE_SIGNATURE_SIZE;
|
|
} else {
|
|
ContextSizes->cbMaxSignature = 0;
|
|
}
|
|
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) {
|
|
ContextSizes->cbBlockSize = 1;
|
|
ContextSizes->cbSecurityTrailer = NTLMSSP_MESSAGE_SIGNATURE_SIZE;
|
|
}
|
|
else
|
|
{
|
|
ContextSizes->cbBlockSize = 0;
|
|
if((pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) ||
|
|
(pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_ALWAYS_SIGN))
|
|
{
|
|
ContextSizes->cbSecurityTrailer = NTLMSSP_MESSAGE_SIGNATURE_SIZE;
|
|
} else {
|
|
ContextSizes->cbSecurityTrailer = 0;
|
|
}
|
|
}
|
|
|
|
break;
|
|
|
|
case SECPKG_ATTR_DCE_INFO:
|
|
|
|
ContextDceInfo = (PSecPkgContext_DceInfo) Buffer;
|
|
|
|
if (pContext->ContextNames)
|
|
{
|
|
UINT Length = wcslen(pContext->ContextNames);
|
|
ContextDceInfo->pPac = (LPWSTR)UserFunctions->AllocateHeap((Length + 1) * sizeof(WCHAR));
|
|
if (ContextDceInfo->pPac == NULL) {
|
|
Status = STATUS_NO_MEMORY;
|
|
SspPrint(( SSP_CRITICAL, "SpQueryContextAttributes, NtLmAllocate returns NULL\n" ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
(LPWSTR) ContextDceInfo->pPac,
|
|
pContext->ContextNames,
|
|
Length * sizeof(WCHAR)
|
|
);
|
|
*((LPWSTR)(ContextDceInfo->pPac) + Length) = L'\0';
|
|
}
|
|
else
|
|
{
|
|
SspPrint(( SSP_API_MORE, "SpQueryContextAttributes no ContextNames\n" ));
|
|
ContextDceInfo->pPac = (LPWSTR) UserFunctions->AllocateHeap(sizeof(WCHAR));
|
|
*((LPWSTR)(ContextDceInfo->pPac)) = L'\0';
|
|
}
|
|
|
|
ContextDceInfo->AuthzSvc = 0;
|
|
|
|
break;
|
|
|
|
case SECPKG_ATTR_SESSION_KEY:
|
|
{
|
|
if (NtLmState != NtLmLsaMode)
|
|
{
|
|
Status = STATUS_INVALID_PARAMETER;
|
|
break;
|
|
}
|
|
|
|
SessionKeyInfo = (PSecPkgContext_SessionKey) Buffer;
|
|
SessionKeyInfo->SessionKeyLength = sizeof(pContext->SessionKey);
|
|
|
|
SessionKeyInfo->SessionKey = (PUCHAR) UserFunctions->AllocateHeap(
|
|
SessionKeyInfo->SessionKeyLength
|
|
);
|
|
if (SessionKeyInfo->SessionKey != NULL)
|
|
{
|
|
RtlCopyMemory(
|
|
SessionKeyInfo->SessionKey,
|
|
pContext->SessionKey,
|
|
SessionKeyInfo->SessionKeyLength
|
|
);
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
}
|
|
|
|
break;
|
|
}
|
|
|
|
case SECPKG_ATTR_NAMES:
|
|
|
|
ContextNames = (PSecPkgContext_Names) Buffer;
|
|
|
|
if (pContext->ContextNames)
|
|
{
|
|
UINT Length = wcslen(pContext->ContextNames);
|
|
ContextNames->sUserName = (LPWSTR) UserFunctions->AllocateHeap((Length+1) * sizeof(WCHAR));
|
|
if (ContextNames->sUserName == NULL) {
|
|
Status = STATUS_NO_MEMORY;
|
|
SspPrint(( SSP_CRITICAL, "SpQueryContextAttributes, NtLmAllocate returns NULL\n" ));
|
|
goto Cleanup;
|
|
}
|
|
RtlCopyMemory(
|
|
ContextNames->sUserName,
|
|
pContext->ContextNames,
|
|
Length * sizeof(WCHAR)
|
|
);
|
|
*(ContextNames->sUserName + Length) = L'\0';
|
|
}
|
|
else
|
|
{
|
|
SspPrint(( SSP_API_MORE, "SpQueryContextAttributes no ContextNames\n" ));
|
|
ContextNames->sUserName = (LPWSTR) UserFunctions->AllocateHeap(sizeof(WCHAR));
|
|
*(ContextNames->sUserName) = L'\0';
|
|
}
|
|
|
|
break;
|
|
case SECPKG_ATTR_PACKAGE_INFO:
|
|
case SECPKG_ATTR_NEGOTIATION_INFO:
|
|
//
|
|
// Return the information about this package. This is useful for
|
|
// callers who used SPNEGO and don't know what package they got.
|
|
//
|
|
|
|
PackageInfo = (PSecPkgContext_PackageInfo) Buffer;
|
|
PackageInfoSize = sizeof(SecPkgInfoW) + sizeof(NTLMSP_NAME) + sizeof(NTLMSP_COMMENT);
|
|
PackageInfo->PackageInfo = (PSecPkgInfoW) UserFunctions->AllocateHeap(PackageInfoSize);
|
|
if (PackageInfo->PackageInfo == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
PackageInfo->PackageInfo->Name = (LPWSTR) (PackageInfo->PackageInfo + 1);
|
|
PackageInfo->PackageInfo->Comment = (LPWSTR) ((((PBYTE) PackageInfo->PackageInfo->Name)) + sizeof(NTLMSP_NAME));
|
|
wcscpy(
|
|
PackageInfo->PackageInfo->Name,
|
|
NTLMSP_NAME
|
|
);
|
|
|
|
wcscpy(
|
|
PackageInfo->PackageInfo->Comment,
|
|
NTLMSP_COMMENT
|
|
);
|
|
PackageInfo->PackageInfo->wVersion = SECURITY_SUPPORT_PROVIDER_INTERFACE_VERSION;
|
|
PackageInfo->PackageInfo->wRPCID = RPC_C_AUTHN_WINNT;
|
|
PackageInfo->PackageInfo->fCapabilities = NTLMSP_CAPS;
|
|
PackageInfo->PackageInfo->cbMaxToken = NTLMSP_MAX_TOKEN_SIZE;
|
|
|
|
if ( Attribute == SECPKG_ATTR_NEGOTIATION_INFO )
|
|
{
|
|
NegInfo = (PSecPkgContext_NegotiationInfo) PackageInfo ;
|
|
NegInfo->NegotiationState = SECPKG_NEGOTIATION_COMPLETE ;
|
|
}
|
|
break;
|
|
|
|
case SECPKG_ATTR_PASSWORD_EXPIRY:
|
|
PasswordExpires = (PSecPkgContext_PasswordExpiry) Buffer;
|
|
if(pContext->PasswordExpiry.QuadPart != 0) {
|
|
PasswordExpires->tsPasswordExpires = pContext->PasswordExpiry;
|
|
} else {
|
|
Status = SEC_E_UNSUPPORTED_FUNCTION;
|
|
}
|
|
break;
|
|
|
|
case SECPKG_ATTR_USER_FLAGS:
|
|
UserFlags = (PSecPkgContext_UserFlags) Buffer;
|
|
UserFlags->UserFlags = pContext->UserFlags;
|
|
break;
|
|
|
|
case SECPKG_ATTR_FLAGS:
|
|
{
|
|
BOOLEAN Client = (pContext->ClientTokenHandle == 0);
|
|
ULONG Flags = 0;
|
|
|
|
//
|
|
// note: doesn't return all flags; by design.
|
|
//
|
|
ContextFlags = (PSecPkgContext_Flags) Buffer;
|
|
ContextFlags->Flags = 0;
|
|
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) {
|
|
if( Client )
|
|
{
|
|
Flags |= ISC_RET_CONFIDENTIALITY;
|
|
} else {
|
|
Flags |= ASC_RET_CONFIDENTIALITY;
|
|
}
|
|
}
|
|
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) {
|
|
if( Client )
|
|
{
|
|
Flags |= ISC_RET_SEQUENCE_DETECT | ISC_RET_REPLAY_DETECT | ISC_RET_INTEGRITY;
|
|
} else {
|
|
Flags |= ASC_RET_SEQUENCE_DETECT | ASC_RET_REPLAY_DETECT | ASC_RET_INTEGRITY;
|
|
}
|
|
}
|
|
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NULL_SESSION) {
|
|
if( Client )
|
|
{
|
|
Flags |= ISC_RET_NULL_SESSION;
|
|
} else {
|
|
Flags |= ASC_RET_NULL_SESSION;
|
|
}
|
|
}
|
|
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) {
|
|
if( Client )
|
|
{
|
|
Flags |= ISC_RET_DATAGRAM;
|
|
} else {
|
|
Flags |= ASC_RET_DATAGRAM;
|
|
}
|
|
}
|
|
|
|
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_IDENTIFY) {
|
|
if( Client )
|
|
{
|
|
Flags |= ISC_RET_IDENTIFY;
|
|
} else {
|
|
Flags |= ASC_RET_IDENTIFY;
|
|
}
|
|
}
|
|
|
|
ContextFlags->Flags |= Flags;
|
|
|
|
break;
|
|
}
|
|
case SECPKG_ATTR_ACCESS_TOKEN:
|
|
AccessToken = (PSecPkgContext_AccessToken) Buffer;
|
|
//
|
|
// ClientTokenHandle can be NULL, for instance:
|
|
// 1. client side context.
|
|
// 2. incomplete server context.
|
|
//
|
|
if(pContext->ClientTokenHandle)
|
|
AccessToken->AccessToken = pContext->ClientTokenHandle;
|
|
else
|
|
Status = SEC_E_NO_IMPERSONATION;
|
|
break;
|
|
|
|
case SECPKG_ATTR_LIFESPAN:
|
|
default:
|
|
Status = STATUS_NOT_SUPPORTED;
|
|
break;
|
|
}
|
|
|
|
|
|
Cleanup:
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
switch (Attribute) {
|
|
|
|
case SECPKG_ATTR_NAMES:
|
|
|
|
if (ContextNames != NULL && ContextNames->sUserName )
|
|
{
|
|
NtLmFree(ContextNames->sUserName);
|
|
}
|
|
break;
|
|
|
|
case SECPKG_ATTR_DCE_INFO:
|
|
|
|
if (ContextDceInfo != NULL && ContextDceInfo->pPac)
|
|
{
|
|
NtLmFree(ContextDceInfo->pPac);
|
|
}
|
|
break;
|
|
}
|
|
}
|
|
|
|
if (pContext != NULL)
|
|
{
|
|
(VOID) DereferenceUserContext(pContext);
|
|
}
|
|
|
|
SspPrint(( SSP_API, "Leaving SpQueryContextAttributes: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpCompleteAuthToken
|
|
//
|
|
// Synopsis: Completes a context
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpCompleteAuthToken(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN PSecBufferDesc InputBuffer
|
|
)
|
|
{
|
|
UNREFERENCED_PARAMETER (ContextHandle);
|
|
UNREFERENCED_PARAMETER (InputBuffer);
|
|
SspPrint(( SSP_API, "Entering SpCompleteAuthToken\n" ));
|
|
SspPrint(( SSP_API, "Leaving SpCompleteAuthToken\n" ));
|
|
return(SEC_E_UNSUPPORTED_FUNCTION);
|
|
}
|
|
|
|
|
|
NTSTATUS NTAPI
|
|
SpFormatCredentials(
|
|
IN PSecBuffer Credentials,
|
|
OUT PSecBuffer FormattedCredentials
|
|
)
|
|
{
|
|
UNREFERENCED_PARAMETER (Credentials);
|
|
UNREFERENCED_PARAMETER (FormattedCredentials);
|
|
SspPrint(( SSP_API, "Entering SpFormatCredentials\n" ));
|
|
SspPrint(( SSP_API, "Leaving SpFormatCredentials\n" ));
|
|
return(SEC_E_UNSUPPORTED_FUNCTION);
|
|
}
|
|
|
|
NTSTATUS NTAPI
|
|
SpMarshallSupplementalCreds(
|
|
IN ULONG CredentialSize,
|
|
IN PUCHAR Credentials,
|
|
OUT PULONG MarshalledCredSize,
|
|
OUT PVOID * MarshalledCreds
|
|
)
|
|
{
|
|
UNREFERENCED_PARAMETER (CredentialSize);
|
|
UNREFERENCED_PARAMETER (Credentials);
|
|
UNREFERENCED_PARAMETER (MarshalledCredSize);
|
|
UNREFERENCED_PARAMETER (MarshalledCreds);
|
|
SspPrint(( SSP_API, "Entering SpMarshallSupplementalCreds\n" ));
|
|
SspPrint(( SSP_API, "Leaving SpMarshallSupplementalCreds\n" ));
|
|
return(SEC_E_UNSUPPORTED_FUNCTION);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: NtLmMakePackedContext
|
|
//
|
|
// Synopsis: Maps a context to the caller's address space
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: Context - The context to map
|
|
// MappedContext - Set to TRUE on success
|
|
// ContextData - Receives a buffer in the caller's address space
|
|
// with the mapped context.
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
NtLmMakePackedContext(
|
|
IN PNTLM_CLIENT_CONTEXT Context,
|
|
OUT PBOOLEAN MappedContext,
|
|
OUT PSecBuffer ContextData,
|
|
IN ULONG Flags
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PNTLM_PACKED_CONTEXT PackedContext = NULL;
|
|
ULONG ContextSize, ContextNameSize = 0;
|
|
|
|
|
|
if (Context->ContextNames)
|
|
{
|
|
ContextNameSize = wcslen(Context->ContextNames);
|
|
}
|
|
|
|
ContextSize = sizeof(NTLM_CLIENT_CONTEXT) +
|
|
ContextNameSize * sizeof(WCHAR) + sizeof( WCHAR );
|
|
|
|
PackedContext = (PNTLM_PACKED_CONTEXT) NtLmAllocateLsaHeap( ContextSize );
|
|
|
|
if (PackedContext == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
// Copy all fields of the old context
|
|
|
|
PackedContext->Tag = NTLM_PACKED_CONTEXT_MAP ;
|
|
PackedContext->NegotiateFlags = Context->NegotiateFlags ;
|
|
PackedContext->SendNonce = Context->SendNonce ;
|
|
PackedContext->RecvNonce = Context->RecvNonce ;
|
|
RtlCopyMemory(
|
|
PackedContext->SessionKey,
|
|
Context->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
PackedContext->ContextSignature = Context->ContextSignature ;
|
|
PackedContext->PasswordExpiry = Context->PasswordExpiry ;
|
|
PackedContext->UserFlags = Context->UserFlags ;
|
|
if ( ContextNameSize )
|
|
{
|
|
PackedContext->ContextNames = sizeof( NTLM_PACKED_CONTEXT );
|
|
PackedContext->ContextNameLength = (ContextNameSize + 1) * sizeof( WCHAR ) ;
|
|
|
|
RtlCopyMemory(
|
|
(PackedContext + 1),
|
|
Context->ContextNames,
|
|
PackedContext->ContextNameLength );
|
|
|
|
}
|
|
else
|
|
{
|
|
PackedContext->ContextNames = 0 ;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
PackedContext->SignSessionKey,
|
|
Context->SignSessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
RtlCopyMemory(
|
|
PackedContext->VerifySessionKey,
|
|
Context->VerifySessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
RtlCopyMemory(
|
|
PackedContext->SealSessionKey,
|
|
Context->SealSessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
RtlCopyMemory(
|
|
PackedContext->UnsealSessionKey,
|
|
Context->SealSessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
RtlCopyMemory(
|
|
&PackedContext->SealRc4Sched,
|
|
&Context->SealRc4Sched,
|
|
sizeof( struct RC4_KEYSTRUCT ) );
|
|
|
|
RtlCopyMemory(
|
|
&PackedContext->UnsealRc4Sched,
|
|
&Context->UnsealRc4Sched,
|
|
sizeof( struct RC4_KEYSTRUCT ) );
|
|
|
|
|
|
// Replace some fields
|
|
|
|
|
|
//
|
|
// Token will be returned by the caller of this routine
|
|
//
|
|
|
|
PackedContext->ClientTokenHandle = 0 ;
|
|
|
|
// Save the fact that it's exported
|
|
PackedContext->NegotiateFlags |= NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT;
|
|
|
|
ContextData->pvBuffer = PackedContext;
|
|
ContextData->cbBuffer = ContextSize;
|
|
|
|
|
|
*MappedContext = TRUE;
|
|
|
|
|
|
Status = STATUS_SUCCESS;
|
|
|
|
Cleanup:
|
|
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
if (PackedContext != NULL)
|
|
{
|
|
NtLmFreeLsaHeap(PackedContext);
|
|
}
|
|
}
|
|
|
|
return(Status);
|
|
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpExportSecurityContext
|
|
//
|
|
// Synopsis: Exports a security context to another process
|
|
//
|
|
// Effects: Allocates memory for output
|
|
//
|
|
// Arguments: ContextHandle - handle to context to export
|
|
// Flags - Flags concerning duplication. Allowable flags:
|
|
// SECPKG_CONTEXT_EXPORT_DELETE_OLD - causes old context
|
|
// to be deleted.
|
|
// PackedContext - Receives serialized context to be freed with
|
|
// FreeContextBuffer
|
|
// TokenHandle - Optionally receives handle to context's token.
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
SpExportSecurityContext(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN ULONG Flags,
|
|
OUT PSecBuffer PackedContext,
|
|
OUT PHANDLE TokenHandle
|
|
)
|
|
{
|
|
PNTLM_CLIENT_CONTEXT Context = NULL ;
|
|
PNTLM_PACKED_CONTEXT pvContext = NULL;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
NTSTATUS SubStatus = STATUS_SUCCESS;
|
|
ULONG ContextSize = 0;
|
|
BOOLEAN MappedContext = FALSE;
|
|
|
|
|
|
SspPrint(( SSP_API,"Entering SpExportSecurityContext for context 0x%x\n", ContextHandle ));
|
|
|
|
if (ARGUMENT_PRESENT(TokenHandle))
|
|
{
|
|
*TokenHandle = NULL;
|
|
}
|
|
|
|
PackedContext->pvBuffer = NULL;
|
|
PackedContext->cbBuffer = 0;
|
|
PackedContext->BufferType = 0;
|
|
|
|
Context = ReferenceUserContext(
|
|
ContextHandle,
|
|
FALSE // don't unlink
|
|
);
|
|
|
|
if (Context == NULL)
|
|
{
|
|
SspPrint((SSP_CRITICAL, "SpExportSecurityContext: Invalid handle supplied (0x%x)\n",
|
|
ContextHandle));
|
|
Status = STATUS_INVALID_HANDLE;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Status = NtLmMakePackedContext(
|
|
Context,
|
|
&MappedContext,
|
|
PackedContext,
|
|
Flags
|
|
);
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
ASSERT(MappedContext);
|
|
|
|
|
|
//
|
|
// Now either duplicate the token or copy it.
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT(TokenHandle))
|
|
{
|
|
ULONG LockIndex;
|
|
|
|
LockIndex = ListIndexToLockIndex( HandleToListIndex( ContextHandle ) );
|
|
|
|
RtlAcquireResourceShared( &NtLmUserContextLock[LockIndex], TRUE );
|
|
|
|
if ((Flags & SECPKG_CONTEXT_EXPORT_DELETE_OLD) != 0)
|
|
{
|
|
RtlConvertSharedToExclusive( &NtLmUserContextLock[LockIndex] );
|
|
|
|
*TokenHandle = Context->ClientTokenHandle;
|
|
Context->ClientTokenHandle = NULL;
|
|
}
|
|
else
|
|
{
|
|
Status = NtDuplicateObject(
|
|
NtCurrentProcess(),
|
|
Context->ClientTokenHandle,
|
|
NULL,
|
|
TokenHandle,
|
|
0, // no new access
|
|
0, // no handle attributes
|
|
DUPLICATE_SAME_ACCESS
|
|
);
|
|
}
|
|
|
|
RtlReleaseResource( &NtLmUserContextLock[LockIndex] );
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
}
|
|
|
|
pvContext = (PNTLM_PACKED_CONTEXT) PackedContext->pvBuffer;
|
|
|
|
// Semantics of this flag: Export from here, but reset the Nonce.
|
|
// We zero out the session key, since all we need is the rc4 key.
|
|
|
|
if ((Flags & SECPKG_CONTEXT_EXPORT_RESET_NEW) != 0)
|
|
{
|
|
pvContext->SendNonce = (ULONG) -1;
|
|
pvContext->RecvNonce = (ULONG) -1;
|
|
}
|
|
|
|
RtlZeroMemory(
|
|
&pvContext->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH
|
|
);
|
|
|
|
Cleanup:
|
|
|
|
if (Context != NULL)
|
|
{
|
|
SubStatus = DereferenceUserContext(Context);
|
|
|
|
// Don't destroy real status
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = SubStatus;
|
|
}
|
|
}
|
|
|
|
SspPrint(( SSP_API,"Leaving SpExportContext: 0x%lx\n", Status ));
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: NtLmCreateUserModeContext
|
|
//
|
|
// Synopsis: Creates a user-mode context to support impersonation and
|
|
// message integrity and privacy
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
NTSTATUS
|
|
NtLmCreateUserModeContext(
|
|
IN ULONG_PTR ContextHandle,
|
|
IN HANDLE Token,
|
|
IN PSecBuffer MarshalledContext,
|
|
OUT PNTLM_CLIENT_CONTEXT * NewContext
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
PNTLM_CLIENT_CONTEXT Context = NULL;
|
|
PNTLM_PACKED_CONTEXT PackedContext;
|
|
UINT Length = 0;
|
|
ULONG ListIndex;
|
|
ULONG LockIndex;
|
|
|
|
if (MarshalledContext->cbBuffer < sizeof(NTLM_PACKED_CONTEXT))
|
|
{
|
|
SspPrint((SSP_CRITICAL,"NtLmCreateUserModeContext: Invalid buffer size for marshalled context: was 0x%x, needed 0x%x\n",
|
|
MarshalledContext->cbBuffer, sizeof(NTLM_PACKED_CONTEXT)));
|
|
return(STATUS_INVALID_PARAMETER);
|
|
}
|
|
|
|
PackedContext = (PNTLM_PACKED_CONTEXT) MarshalledContext->pvBuffer;
|
|
|
|
Context = (PNTLM_CLIENT_CONTEXT)NtLmAllocate ( sizeof(NTLM_CLIENT_CONTEXT));
|
|
|
|
if (Context == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
Context->NegotiateFlags = PackedContext->NegotiateFlags ;
|
|
Context->SendNonce = PackedContext->SendNonce ;
|
|
Context->RecvNonce = PackedContext->RecvNonce ;
|
|
RtlCopyMemory(
|
|
Context->SessionKey,
|
|
PackedContext->SessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
Context->ContextSignature = PackedContext->ContextSignature ;
|
|
Context->PasswordExpiry = PackedContext->PasswordExpiry ;
|
|
Context->UserFlags = PackedContext->UserFlags ;
|
|
|
|
if ( PackedContext->ContextNames )
|
|
{
|
|
Context->ContextNames = (PWSTR) NtLmAllocate( PackedContext->ContextNameLength );
|
|
if ( Context->ContextNames == NULL )
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES ;
|
|
goto Cleanup ;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
Context->ContextNames,
|
|
((PUCHAR) PackedContext) + PackedContext->ContextNames,
|
|
PackedContext->ContextNameLength );
|
|
|
|
}
|
|
else
|
|
{
|
|
Context->ContextNames = NULL ;
|
|
}
|
|
|
|
RtlCopyMemory(
|
|
Context->SignSessionKey,
|
|
PackedContext->SignSessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
RtlCopyMemory(
|
|
Context->VerifySessionKey,
|
|
PackedContext->VerifySessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
RtlCopyMemory(
|
|
Context->SealSessionKey,
|
|
PackedContext->SealSessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
RtlCopyMemory(
|
|
Context->UnsealSessionKey,
|
|
PackedContext->UnsealSessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH );
|
|
|
|
RtlCopyMemory(
|
|
&Context->SealRc4Sched,
|
|
&PackedContext->SealRc4Sched,
|
|
sizeof( struct RC4_KEYSTRUCT ) );
|
|
|
|
RtlCopyMemory(
|
|
&Context->UnsealRc4Sched,
|
|
&PackedContext->UnsealRc4Sched,
|
|
sizeof( struct RC4_KEYSTRUCT ) );
|
|
|
|
|
|
// These need to be changed
|
|
|
|
Context->ClientTokenHandle = Token;
|
|
|
|
if (Context->SendNonce == (ULONG) -1)
|
|
{
|
|
Context->SendNonce = 0;
|
|
}
|
|
|
|
if (Context->RecvNonce == (ULONG) -1)
|
|
{
|
|
Context->RecvNonce = 0;
|
|
}
|
|
|
|
if ( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2 )
|
|
{
|
|
Context->pSealRc4Sched = &Context->SealRc4Sched;
|
|
Context->pUnsealRc4Sched = &Context->UnsealRc4Sched;
|
|
Context->pSendNonce = &Context->SendNonce;
|
|
Context->pRecvNonce = &Context->RecvNonce;
|
|
} else {
|
|
Context->pSealRc4Sched = &Context->SealRc4Sched;
|
|
Context->pUnsealRc4Sched = &Context->SealRc4Sched;
|
|
Context->pSendNonce = &Context->SendNonce;
|
|
Context->pRecvNonce = &Context->SendNonce;
|
|
}
|
|
|
|
|
|
|
|
|
|
Context->References = 2;
|
|
|
|
//
|
|
// Modify the DACL on the token to grant access to the caller
|
|
//
|
|
|
|
if (Context->ClientTokenHandle != NULL)
|
|
{
|
|
Status = SspCreateTokenDacl(
|
|
Context->ClientTokenHandle
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
// Dummy up an lsa handle by incrementing a global variable. This
|
|
// will ensure that each imported context has a unique handle.
|
|
// Skip over values that could be interpreted as an aligned pointer,
|
|
// so that they won't get mixed up with real lsa handles.
|
|
Context->LsaContext = InterlockedIncrement((PLONG)&ExportedContext);
|
|
while(Context->LsaContext % MAX_NATURAL_ALIGNMENT == 0)
|
|
{
|
|
Context->LsaContext = InterlockedIncrement((PLONG)&ExportedContext);
|
|
}
|
|
|
|
|
|
ListIndex = HandleToListIndex( Context->LsaContext );
|
|
LockIndex = ListIndexToLockIndex( ListIndex );
|
|
|
|
RtlAcquireResourceExclusive(&NtLmUserContextLock[LockIndex], TRUE);
|
|
|
|
InsertHeadList ( &NtLmUserContextList[ListIndex], &Context->Next );
|
|
NtLmUserContextCount[ListIndex]++;
|
|
|
|
RtlReleaseResource(&NtLmUserContextLock[LockIndex]);
|
|
|
|
*NewContext = Context;
|
|
|
|
Cleanup:
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
if (Context != NULL)
|
|
{
|
|
FreeUserContext(Context);
|
|
}
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: SpImportSecurityContext
|
|
//
|
|
// Synopsis:
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
|
|
NTSTATUS
|
|
SpImportSecurityContext(
|
|
IN PSecBuffer PackedContext,
|
|
IN HANDLE Token,
|
|
OUT PULONG_PTR ContextHandle
|
|
)
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
NTSTATUS SubStatus = STATUS_SUCCESS;
|
|
PNTLM_CLIENT_CONTEXT Context = NULL;
|
|
|
|
SspPrint(( SSP_API,"Entering SpImportSecurityContext\n"));
|
|
|
|
Status = NtLmCreateUserModeContext(
|
|
0, // no lsa context
|
|
Token,
|
|
PackedContext,
|
|
&Context
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint((SSP_CRITICAL,"SpImportSecurityContext: Failed to create user mode context: 0x%x\n",
|
|
Status));
|
|
goto Cleanup;
|
|
}
|
|
|
|
*ContextHandle = Context->LsaContext;
|
|
|
|
Cleanup:
|
|
|
|
if (Context != NULL)
|
|
{
|
|
SubStatus = DereferenceUserContext(Context);
|
|
|
|
// Don't destroy real status
|
|
|
|
if (NT_SUCCESS(Status))
|
|
{
|
|
Status = SubStatus;
|
|
}
|
|
}
|
|
|
|
SspPrint(( SSP_API,"Leaving SpImportSecurityContext: 0x%lx\n", Status));
|
|
|
|
return(SspNtStatusToSecStatus(Status, SEC_E_INTERNAL_ERROR));
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
SspGetTokenUser(
|
|
HANDLE Token,
|
|
PTOKEN_USER pTokenUser,
|
|
PULONG TokenUserSize
|
|
)
|
|
/*++
|
|
|
|
RoutineDescription:
|
|
|
|
Gets the TOKEN_USER from an open token
|
|
|
|
Arguments:
|
|
|
|
Token - Handle to a token open for TOKEN_QUERY access
|
|
|
|
Return Value:
|
|
|
|
STATUS_INSUFFICIENT_RESOURCES - not enough memory to complete the
|
|
function.
|
|
|
|
Errors from NtQueryInformationToken.
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
Status = NtQueryInformationToken(
|
|
Token,
|
|
TokenUser,
|
|
pTokenUser,
|
|
*TokenUserSize,
|
|
TokenUserSize
|
|
);
|
|
|
|
return(Status);
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
SspCreateTokenDacl(
|
|
HANDLE Token
|
|
)
|
|
/*++
|
|
|
|
RoutineDescription:
|
|
|
|
Creates a new DACL for the token granting the server and client
|
|
all access to the token.
|
|
|
|
Arguments:
|
|
|
|
Token - Handle to an impersonation token open for TOKEN_QUERY and
|
|
WRITE_DAC
|
|
|
|
Return Value:
|
|
|
|
STATUS_INSUFFICIENT_RESOURCES - insufficient memory to complete
|
|
the function.
|
|
|
|
Errors from NtSetSecurityObject
|
|
|
|
--*/
|
|
{
|
|
NTSTATUS Status;
|
|
|
|
PTOKEN_USER ThreadTokenUser;
|
|
PTOKEN_USER ImpersonationTokenUser = NULL;
|
|
|
|
PTOKEN_USER SlowProcessTokenUser = NULL;
|
|
PTOKEN_USER SlowThreadTokenUser = NULL;
|
|
PTOKEN_USER SlowImpersonationTokenUser = NULL;
|
|
|
|
ULONG_PTR FastThreadTokenUser[ 128/sizeof(ULONG_PTR) ];
|
|
ULONG_PTR FastImpersonationTokenUser[ 128/sizeof(ULONG_PTR) ];
|
|
ULONG TokenUserSize;
|
|
|
|
HANDLE ProcessToken = NULL;
|
|
HANDLE ImpersonationToken = NULL;
|
|
BOOL fInsertImpersonatingUser = FALSE;
|
|
SID_IDENTIFIER_AUTHORITY NtAuthority = SECURITY_NT_AUTHORITY;
|
|
ULONG AclLength;
|
|
|
|
PACL NewDacl;
|
|
PACL SlowNewDacl = NULL;
|
|
ULONG_PTR FastNewDacl[ 512/sizeof(ULONG_PTR) ];
|
|
|
|
SECURITY_DESCRIPTOR SecurityDescriptor;
|
|
|
|
//
|
|
// Build the two well known sids we need.
|
|
//
|
|
|
|
if (NtLmGlobalLocalSystemSid == NULL)
|
|
{
|
|
PSID pLocalSidSystem;
|
|
PSID pOldSid;
|
|
|
|
Status = RtlAllocateAndInitializeSid(
|
|
&NtAuthority,
|
|
1,
|
|
SECURITY_LOCAL_SYSTEM_RID,
|
|
0,0,0,0,0,0,0,
|
|
&pLocalSidSystem
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SspCreateTokenDacl, RtlAllocateAndInitializeSid returns 0x%lx\n", Status ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
pOldSid = InterlockedCompareExchangePointer(
|
|
&NtLmGlobalLocalSystemSid,
|
|
pLocalSidSystem,
|
|
NULL
|
|
);
|
|
if( pOldSid )
|
|
{
|
|
RtlFreeSid( pLocalSidSystem );
|
|
}
|
|
}
|
|
|
|
if (NtLmGlobalAliasAdminsSid == NULL)
|
|
{
|
|
PSID pLocalSidAdmins;
|
|
PSID pOldSid;
|
|
|
|
Status = RtlAllocateAndInitializeSid(
|
|
&NtAuthority,
|
|
2,
|
|
SECURITY_BUILTIN_DOMAIN_RID,
|
|
DOMAIN_ALIAS_RID_ADMINS,
|
|
0,0,0,0,0,0,
|
|
&pLocalSidAdmins
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SspCreateTokenDacl, RtlAllocateAndInitializeSid returns 0x%lx\n", Status ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
pOldSid = InterlockedCompareExchangePointer(
|
|
&NtLmGlobalAliasAdminsSid,
|
|
pLocalSidAdmins,
|
|
NULL
|
|
);
|
|
if( pOldSid )
|
|
{
|
|
RtlFreeSid( pLocalSidAdmins );
|
|
}
|
|
}
|
|
|
|
//
|
|
// it's possible that the current thread is impersonating a user.
|
|
// if that's the case, get it's token user, and revert to insure we
|
|
// can open the process token.
|
|
//
|
|
|
|
Status = NtOpenThreadToken(
|
|
NtCurrentThread(),
|
|
TOKEN_QUERY | TOKEN_IMPERSONATE,
|
|
TRUE,
|
|
&ImpersonationToken
|
|
);
|
|
|
|
if( NT_SUCCESS(Status) )
|
|
{
|
|
//
|
|
// stop impersonating.
|
|
//
|
|
|
|
RevertToSelf();
|
|
|
|
//
|
|
// get the token user for the impersonating user.
|
|
//
|
|
|
|
ImpersonationTokenUser = (PTOKEN_USER)FastImpersonationTokenUser;
|
|
TokenUserSize = sizeof(FastImpersonationTokenUser);
|
|
|
|
Status = SspGetTokenUser(
|
|
ImpersonationToken,
|
|
ImpersonationTokenUser,
|
|
&TokenUserSize
|
|
);
|
|
|
|
if( Status == STATUS_BUFFER_TOO_SMALL )
|
|
{
|
|
SlowImpersonationTokenUser = (PTOKEN_USER)NtLmAllocate( TokenUserSize );
|
|
if(SlowImpersonationTokenUser == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ImpersonationTokenUser = SlowImpersonationTokenUser;
|
|
|
|
Status = SspGetTokenUser(
|
|
ImpersonationToken,
|
|
ImpersonationTokenUser,
|
|
&TokenUserSize
|
|
);
|
|
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SspCreateTokenDacl, SspGetTokenUser returns 0x%lx\n", Status ));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
|
|
if( NtLmGlobalProcessUserSid == NULL )
|
|
{
|
|
PTOKEN_USER ProcessTokenUser;
|
|
ULONG_PTR FastProcessTokenUser[ 128/sizeof(ULONG_PTR) ];
|
|
PSID pOldSid;
|
|
PSID pNewSid;
|
|
ULONG cbNewSid;
|
|
|
|
//
|
|
// Open the process token to find out the user sid
|
|
//
|
|
|
|
Status = NtOpenProcessToken(
|
|
NtCurrentProcess(),
|
|
TOKEN_QUERY,
|
|
&ProcessToken
|
|
);
|
|
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SspCreateTokenDacl, NtOpenProcessToken returns 0x%lx\n", Status ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// get the token user for the process token.
|
|
//
|
|
|
|
ProcessTokenUser = (PTOKEN_USER)FastProcessTokenUser;
|
|
TokenUserSize = sizeof(FastProcessTokenUser);
|
|
|
|
Status = SspGetTokenUser(
|
|
ProcessToken,
|
|
ProcessTokenUser,
|
|
&TokenUserSize
|
|
);
|
|
|
|
if( Status == STATUS_BUFFER_TOO_SMALL )
|
|
{
|
|
SlowProcessTokenUser = (PTOKEN_USER)NtLmAllocate( TokenUserSize );
|
|
if(SlowProcessTokenUser == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ProcessTokenUser = SlowProcessTokenUser;
|
|
|
|
Status = SspGetTokenUser(
|
|
ProcessToken,
|
|
ProcessTokenUser,
|
|
&TokenUserSize
|
|
);
|
|
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SspCreateTokenDacl, SspGetTokenUser returns 0x%lx\n", Status ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
cbNewSid = RtlLengthSid( ProcessTokenUser->User.Sid );
|
|
pNewSid = NtLmAllocate( cbNewSid );
|
|
if( pNewSid == NULL )
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
CopyMemory( pNewSid, ProcessTokenUser->User.Sid, cbNewSid );
|
|
|
|
pOldSid = InterlockedCompareExchangePointer(
|
|
&NtLmGlobalProcessUserSid,
|
|
pNewSid,
|
|
NULL
|
|
);
|
|
if( pOldSid )
|
|
{
|
|
NtLmFree( pNewSid );
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
//
|
|
// Now get the token user for the thread.
|
|
//
|
|
|
|
ThreadTokenUser = (PTOKEN_USER)FastThreadTokenUser;
|
|
TokenUserSize = sizeof(FastThreadTokenUser);
|
|
|
|
Status = SspGetTokenUser(
|
|
Token,
|
|
ThreadTokenUser,
|
|
&TokenUserSize
|
|
);
|
|
|
|
if( Status == STATUS_BUFFER_TOO_SMALL )
|
|
{
|
|
SlowThreadTokenUser = (PTOKEN_USER)NtLmAllocate( TokenUserSize );
|
|
if(SlowThreadTokenUser == NULL)
|
|
{
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
ThreadTokenUser = SlowThreadTokenUser;
|
|
|
|
Status = SspGetTokenUser(
|
|
Token,
|
|
ThreadTokenUser,
|
|
&TokenUserSize
|
|
);
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SspCreateTokenDacl, SspGetTokenUser returns 0x%lx\n", Status ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
|
|
AclLength = 4 * sizeof( ACCESS_ALLOWED_ACE ) - 4 * sizeof( ULONG ) +
|
|
RtlLengthSid( NtLmGlobalProcessUserSid ) +
|
|
RtlLengthSid( ThreadTokenUser->User.Sid ) +
|
|
RtlLengthSid( NtLmGlobalLocalSystemSid ) +
|
|
RtlLengthSid( NtLmGlobalAliasAdminsSid ) +
|
|
sizeof( ACL );
|
|
|
|
//
|
|
// determine if we need to add impersonation token sid onto the token Dacl.
|
|
//
|
|
|
|
if( ImpersonationTokenUser &&
|
|
!RtlEqualSid( ImpersonationTokenUser->User.Sid, NtLmGlobalProcessUserSid ) &&
|
|
!RtlEqualSid( ImpersonationTokenUser->User.Sid, ThreadTokenUser->User.Sid )
|
|
)
|
|
{
|
|
AclLength += (sizeof(ACCESS_ALLOWED_ACE) - sizeof( ULONG )) +
|
|
RtlLengthSid( ImpersonationTokenUser->User.Sid );
|
|
|
|
fInsertImpersonatingUser = TRUE;
|
|
}
|
|
|
|
|
|
if( AclLength <= sizeof(FastNewDacl) )
|
|
{
|
|
NewDacl = (PACL)FastNewDacl;
|
|
} else {
|
|
|
|
SlowNewDacl = (PACL)NtLmAllocate(AclLength );
|
|
|
|
NewDacl = SlowNewDacl;
|
|
|
|
if (SlowNewDacl == NULL) {
|
|
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
SspPrint(( SSP_CRITICAL, "SspCreateTokenDacl, NtLmallocate returns 0x%lx\n", NewDacl));
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
}
|
|
|
|
Status = RtlCreateAcl( NewDacl, AclLength, ACL_REVISION2 );
|
|
ASSERT(NT_SUCCESS( Status ));
|
|
|
|
Status = RtlAddAccessAllowedAce (
|
|
NewDacl,
|
|
ACL_REVISION2,
|
|
TOKEN_ALL_ACCESS,
|
|
NtLmGlobalProcessUserSid
|
|
);
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
|
|
Status = RtlAddAccessAllowedAce (
|
|
NewDacl,
|
|
ACL_REVISION2,
|
|
TOKEN_ALL_ACCESS,
|
|
ThreadTokenUser->User.Sid
|
|
);
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
|
|
if( fInsertImpersonatingUser )
|
|
{
|
|
Status = RtlAddAccessAllowedAce (
|
|
NewDacl,
|
|
ACL_REVISION2,
|
|
TOKEN_ALL_ACCESS,
|
|
ImpersonationTokenUser->User.Sid
|
|
);
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
}
|
|
|
|
Status = RtlAddAccessAllowedAce (
|
|
NewDacl,
|
|
ACL_REVISION2,
|
|
TOKEN_ALL_ACCESS,
|
|
NtLmGlobalAliasAdminsSid
|
|
);
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
|
|
Status = RtlAddAccessAllowedAce (
|
|
NewDacl,
|
|
ACL_REVISION2,
|
|
TOKEN_ALL_ACCESS,
|
|
NtLmGlobalLocalSystemSid
|
|
);
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
|
|
Status = RtlCreateSecurityDescriptor (
|
|
&SecurityDescriptor,
|
|
SECURITY_DESCRIPTOR_REVISION
|
|
);
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
|
|
Status = RtlSetDaclSecurityDescriptor(
|
|
&SecurityDescriptor,
|
|
TRUE,
|
|
NewDacl,
|
|
FALSE
|
|
);
|
|
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
|
|
Status = NtSetSecurityObject(
|
|
Token,
|
|
DACL_SECURITY_INFORMATION,
|
|
&SecurityDescriptor
|
|
);
|
|
|
|
ASSERT( NT_SUCCESS( Status ));
|
|
|
|
|
|
Cleanup:
|
|
|
|
if (ImpersonationToken != NULL)
|
|
{
|
|
//
|
|
// put the thread token back if we were impersonating.
|
|
//
|
|
|
|
SetThreadToken( NULL, ImpersonationToken );
|
|
NtClose(ImpersonationToken);
|
|
}
|
|
|
|
|
|
if (SlowThreadTokenUser != NULL) {
|
|
NtLmFree( SlowThreadTokenUser );
|
|
}
|
|
|
|
if (SlowProcessTokenUser != NULL) {
|
|
NtLmFree( SlowProcessTokenUser );
|
|
}
|
|
|
|
if (SlowImpersonationTokenUser != NULL) {
|
|
|
|
NtLmFree( SlowImpersonationTokenUser );
|
|
}
|
|
|
|
if (SlowNewDacl != NULL) {
|
|
NtLmFree( SlowNewDacl );
|
|
}
|
|
|
|
if (ProcessToken != NULL)
|
|
{
|
|
NtClose(ProcessToken);
|
|
}
|
|
|
|
return( Status );
|
|
}
|
|
|
|
|
|
|
|
NTSTATUS
|
|
SspMapContext(
|
|
IN PULONG_PTR phContext,
|
|
IN PUCHAR pSessionKey,
|
|
IN ULONG NegotiateFlags,
|
|
IN HANDLE TokenHandle,
|
|
IN PTimeStamp PasswordExpiry OPTIONAL,
|
|
IN ULONG UserFlags,
|
|
OUT PSecBuffer ContextData
|
|
)
|
|
|
|
/*++
|
|
|
|
RoutineDescription:
|
|
|
|
Create a local context for a real context
|
|
Don't link it to out list of local contexts.
|
|
|
|
Arguments:
|
|
|
|
Return Value:
|
|
|
|
--*/
|
|
|
|
{
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
|
|
PNTLM_PACKED_CONTEXT pContext = NULL;
|
|
ULONG cbContextData;
|
|
|
|
WCHAR ContextNames[(UNLEN + DNS_MAX_NAME_LENGTH + 2 + 1) *sizeof (WCHAR)];
|
|
|
|
PLUID pLogonId = NULL;
|
|
TOKEN_STATISTICS TokenStats;
|
|
|
|
PSSP_CONTEXT pTempContext = (PSSP_CONTEXT)*phContext;
|
|
PACTIVE_LOGON *ActiveLogon = NULL, Logon = NULL;
|
|
LPWSTR UserName = NULL;
|
|
UINT Length = 0;
|
|
BOOLEAN ActiveLogonsAreLocked = FALSE;
|
|
|
|
if (pTempContext == NULL)
|
|
{
|
|
Status = STATUS_INVALID_HANDLE;
|
|
SspPrint(( SSP_CRITICAL, "SspMapContext, pTempContext is 0x%lx\n", pTempContext));
|
|
goto Cleanup;
|
|
}
|
|
|
|
if( pTempContext->Credential != NULL ) {
|
|
pLogonId = &(pTempContext->Credential->LogonId);
|
|
} else {
|
|
|
|
//
|
|
// if it was a local call where the default creds were used, lookup
|
|
// the username and domain name based on the AuthenticationId of the
|
|
// access token. The local call gets a duplicated access token
|
|
// associated with the original client, so information on this logon
|
|
// should be found in the active logon list.
|
|
//
|
|
|
|
if( NegotiateFlags & NTLMSSP_NEGOTIATE_LOCAL_CALL &&
|
|
pTempContext->UserName.Length == 0 &&
|
|
pTempContext->UserName.Buffer == NULL &&
|
|
pTempContext->DomainName.Length == 0 &&
|
|
pTempContext->DomainName.Buffer == NULL &&
|
|
TokenHandle ) {
|
|
|
|
DWORD TokenInfoLength = sizeof( TokenStats );
|
|
|
|
if( GetTokenInformation(
|
|
TokenHandle,
|
|
TokenStatistics,
|
|
&TokenStats,
|
|
TokenInfoLength,
|
|
&TokenInfoLength
|
|
)) {
|
|
|
|
pLogonId = &(TokenStats.AuthenticationId);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if( pLogonId )
|
|
{
|
|
NlpLockActiveLogonsRead();
|
|
ActiveLogonsAreLocked = TRUE;
|
|
if (!NlpFindActiveLogon (
|
|
pLogonId,
|
|
&ActiveLogon))
|
|
{
|
|
// Status = STATUS_NO_SUCH_LOGON_SESSION;
|
|
SspPrint(( SSP_API_MORE, "SspMapContext, NlpFindActiveLogon returns FALSE\n"));
|
|
// SspPrint(( SSP_CRITICAL, "SspMapContext, NlpFindActiveLogon returns FALSE\n"));
|
|
// goto Cleanup;
|
|
}
|
|
}
|
|
|
|
if (ActiveLogon != NULL)
|
|
{
|
|
Logon = *ActiveLogon;
|
|
}
|
|
|
|
ContextNames[0] = L'\0';
|
|
|
|
if (Logon != NULL)
|
|
{
|
|
if ( (Logon->UserName.Length > 0) &&
|
|
(Logon->LogonDomainName.Length > 0))
|
|
{
|
|
RtlCopyMemory (ContextNames,
|
|
Logon->LogonDomainName.Buffer,
|
|
Logon->LogonDomainName.Length);
|
|
|
|
Length = (Logon->LogonDomainName.Length)/sizeof(WCHAR);
|
|
|
|
ContextNames[Length] = L'\\';
|
|
Length += 1;
|
|
UserName = &ContextNames[Length];
|
|
|
|
RtlCopyMemory (UserName,
|
|
Logon->UserName.Buffer,
|
|
Logon->UserName.Length);
|
|
|
|
Length += (Logon->UserName.Length)/sizeof(WCHAR);
|
|
|
|
ContextNames[Length] = L'\0';
|
|
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// We don't store network logons, but in the case of server side
|
|
// mapping, the client has sent us the Context Names, so use that.
|
|
// Also, handle the case where we don't have domainnames, just usernames
|
|
// Must handle the valid case where both domainname & username are NULL (rdr)
|
|
|
|
if ((pTempContext->DomainName.Length > 0) &&
|
|
(pTempContext->UserName.Length > 0))
|
|
{
|
|
RtlCopyMemory (ContextNames,
|
|
pTempContext->DomainName.Buffer,
|
|
pTempContext->DomainName.Length);
|
|
|
|
Length = (pTempContext->DomainName.Length)/sizeof(WCHAR);
|
|
|
|
ContextNames[Length] = L'\\';
|
|
Length += 1;
|
|
UserName = &ContextNames[Length];
|
|
|
|
RtlCopyMemory (UserName,
|
|
pTempContext->UserName.Buffer,
|
|
pTempContext->UserName.Length);
|
|
|
|
Length += (pTempContext->UserName.Length)/sizeof(WCHAR);
|
|
|
|
ContextNames[Length] = L'\0';
|
|
|
|
}
|
|
else if ((pTempContext->DomainName.Length == 0) &&
|
|
(pTempContext->UserName.Length >0))
|
|
{
|
|
RtlCopyMemory (ContextNames + Length,
|
|
pTempContext->UserName.Buffer,
|
|
pTempContext->UserName.Length);
|
|
|
|
Length = (pTempContext->UserName.Length)/sizeof(WCHAR);
|
|
|
|
ContextNames[Length] = L'\0';
|
|
}
|
|
}
|
|
|
|
//
|
|
// when domain is present, don't supply domain\UPN, supply domain\user
|
|
//
|
|
|
|
if( UserName ) {
|
|
DWORD cchUserName = wcslen(UserName);
|
|
DWORD i;
|
|
|
|
for( i = 0 ; i < cchUserName ; i++ ) {
|
|
|
|
if( UserName[ i ] == L'@' ) {
|
|
UserName[ i ] = L'\0';
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
|
|
Length = wcslen(ContextNames) * sizeof(WCHAR);
|
|
|
|
cbContextData =
|
|
sizeof(NTLM_PACKED_CONTEXT) +
|
|
Length +
|
|
sizeof(WCHAR);
|
|
|
|
cbContextData += pTempContext->cbMarshalledTargetInfo;
|
|
|
|
// the first sizeof (NTLM_CLIENT_CONTEXT) bytes can be
|
|
// casted to pContext anyway.
|
|
|
|
pContext = (PNTLM_PACKED_CONTEXT)NtLmAllocateLsaHeap( cbContextData );
|
|
|
|
if (!pContext)
|
|
{
|
|
SspPrint(( SSP_CRITICAL, "SspMapContext, NtLmAllocate returns NULL\n"));
|
|
Status = STATUS_INSUFFICIENT_RESOURCES;
|
|
goto Cleanup;
|
|
}
|
|
|
|
// ZeroMemory( pContext, cbContextData );
|
|
|
|
pContext->NegotiateFlags = NegotiateFlags;
|
|
|
|
|
|
RtlCopyMemory( pContext->SessionKey,
|
|
pSessionKey,
|
|
MSV1_0_USER_SESSION_KEY_LENGTH);
|
|
|
|
|
|
// Save away the LsaContextHandle
|
|
// pContext->LsaContext = *phContext;
|
|
|
|
// dup token if it exists
|
|
|
|
pContext->ClientTokenHandle = 0 ;
|
|
|
|
if (TokenHandle != NULL)
|
|
{
|
|
HANDLE Tmp ;
|
|
Status = LsaFunctions->DuplicateHandle(
|
|
TokenHandle,
|
|
&Tmp );
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
if (pContext)
|
|
{
|
|
NtLmFreeLsaHeap(pContext);
|
|
}
|
|
SspPrint(( SSP_CRITICAL, "SspMapContext, DuplicateHandle returns 0x%lx\n", Status));
|
|
goto Cleanup;
|
|
}
|
|
|
|
pContext->ClientTokenHandle = (ULONG) ((ULONG_PTR) Tmp) ;
|
|
}
|
|
|
|
if (cbContextData > sizeof(NTLM_PACKED_CONTEXT) )
|
|
{
|
|
pContext->ContextNames = sizeof(NTLM_PACKED_CONTEXT);
|
|
pContext->ContextNameLength = Length;
|
|
|
|
RtlCopyMemory(pContext+1,
|
|
ContextNames,
|
|
pContext->ContextNameLength
|
|
);
|
|
|
|
|
|
pContext->ContextNameLength += sizeof(WCHAR);
|
|
}
|
|
else
|
|
{
|
|
pContext->ContextNames = 0;
|
|
pContext->ContextNameLength = 0;
|
|
}
|
|
|
|
|
|
if( pTempContext->pbMarshalledTargetInfo )
|
|
{
|
|
pContext->MarshalledTargetInfo = (ULONG)pContext->ContextNameLength + sizeof(NTLM_PACKED_CONTEXT) ;
|
|
pContext->MarshalledTargetInfoLength = pTempContext->cbMarshalledTargetInfo;
|
|
|
|
RtlCopyMemory( (PBYTE)pContext+pContext->MarshalledTargetInfo,
|
|
pTempContext->pbMarshalledTargetInfo,
|
|
pContext->MarshalledTargetInfoLength
|
|
);
|
|
|
|
}
|
|
|
|
pContext->SendNonce = 0;
|
|
pContext->RecvNonce = 0;
|
|
|
|
|
|
ContextData->pvBuffer = pContext;
|
|
ContextData->cbBuffer = cbContextData;
|
|
|
|
|
|
if(ARGUMENT_PRESENT(PasswordExpiry)) {
|
|
pContext->PasswordExpiry = *PasswordExpiry;
|
|
} else {
|
|
pContext->PasswordExpiry.QuadPart = 0;
|
|
}
|
|
|
|
pContext->UserFlags = UserFlags;
|
|
|
|
Cleanup:
|
|
if (ActiveLogonsAreLocked)
|
|
{
|
|
NlpUnlockActiveLogons();
|
|
}
|
|
return(Status);
|
|
}
|
|
|
|
|
|
ULONG
|
|
HandleToListIndex(
|
|
ULONG_PTR ContextHandle
|
|
)
|
|
{
|
|
ASSERT( (NTLM_USERLIST_COUNT != 0) );
|
|
ASSERT( (NTLM_USERLIST_COUNT & 1) == 0 );
|
|
|
|
ULONG Number ;
|
|
ULONG Hash;
|
|
ULONG HashFinal;
|
|
|
|
Number = (ULONG)ContextHandle;
|
|
|
|
Hash = Number;
|
|
Hash += Number >> 8;
|
|
Hash += Number >> 16;
|
|
Hash += Number >> 24;
|
|
|
|
HashFinal = Hash;
|
|
HashFinal += Hash >> 4;
|
|
|
|
//
|
|
// insure power of two if not one.
|
|
//
|
|
|
|
return ( HashFinal & (NTLM_USERLIST_COUNT-1) ) ;
|
|
}
|
|
|
|
ULONG
|
|
__inline
|
|
ListIndexToLockIndex(
|
|
ULONG ListIndex
|
|
)
|
|
{
|
|
ASSERT( (NTLM_USERLIST_LOCK_COUNT) != 0 );
|
|
ASSERT( (NTLM_USERLIST_LOCK_COUNT & 1) == 0 );
|
|
|
|
//
|
|
// insure power of two if not one.
|
|
//
|
|
|
|
return ( ListIndex & (NTLM_USERLIST_LOCK_COUNT-1) );
|
|
}
|