mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2537 lines
66 KiB
2537 lines
66 KiB
//+---------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
// Copyright (C) Microsoft Corporation, 1992 - 1995.
|
|
//
|
|
// File: mapper.c
|
|
//
|
|
// Contents: Implements the DS Mapping Layer
|
|
//
|
|
// Classes:
|
|
//
|
|
// Functions:
|
|
//
|
|
// History: 10-15-96 RichardW Created
|
|
//
|
|
// Notes: The code here has two forks. One, the direct path, for when
|
|
// the DLL is running on a DC, and the second, for when we're
|
|
// running elsewhere and remoting through the generic channel
|
|
// to the DC.
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
|
|
#include "sslp.h"
|
|
#include <crypt.h>
|
|
#include <lmcons.h>
|
|
#include <ntsam.h>
|
|
#include <samrpc.h>
|
|
#include <samisrv.h>
|
|
#include <lsarpc.h>
|
|
#include <lsaisrv.h>
|
|
#include <dnsapi.h>
|
|
#include <certmap.h>
|
|
#include <align.h>
|
|
#include <ntmsv1_0.h>
|
|
#include <ntdsapi.h>
|
|
#include <ntdsapip.h>
|
|
#include "mapsam.h"
|
|
#include "wincrypt.h"
|
|
#include <msaudite.h>
|
|
|
|
|
|
LONG WINAPI
|
|
SslLocalRefMapper(
|
|
PHMAPPER Mapper);
|
|
|
|
LONG WINAPI
|
|
SslLocalDerefMapper(
|
|
PHMAPPER Mapper);
|
|
|
|
DWORD WINAPI
|
|
SslLocalGetIssuerList(
|
|
IN PHMAPPER Mapper,
|
|
IN PVOID Reserved,
|
|
OUT PBYTE pIssuerList,
|
|
OUT PDWORD IssuerListLength);
|
|
|
|
DWORD WINAPI
|
|
SslLocalGetChallenge(
|
|
IN PHMAPPER Mapper,
|
|
IN PUCHAR AuthenticatorId,
|
|
IN DWORD AuthenticatorIdLength,
|
|
OUT PUCHAR Challenge,
|
|
OUT DWORD * ChallengeLength);
|
|
|
|
DWORD WINAPI
|
|
SslLocalMapCredential(
|
|
IN PHMAPPER Mapper,
|
|
IN DWORD CredentialType,
|
|
VOID const *pCredential,
|
|
VOID const *pAuthority,
|
|
OUT HLOCATOR * phLocator);
|
|
|
|
DWORD WINAPI
|
|
SslRemoteMapCredential(
|
|
IN PHMAPPER Mapper,
|
|
IN DWORD CredentialType,
|
|
VOID const *pCredential,
|
|
VOID const *pAuthority,
|
|
OUT HLOCATOR * phLocator);
|
|
|
|
DWORD WINAPI
|
|
SslLocalCloseLocator(
|
|
IN PHMAPPER Mapper,
|
|
IN HLOCATOR Locator);
|
|
|
|
DWORD WINAPI
|
|
SslLocalGetAccessToken(
|
|
IN PHMAPPER Mapper,
|
|
IN HLOCATOR Locator,
|
|
OUT HANDLE *Token);
|
|
|
|
MAPPER_VTABLE SslLocalTable = { SslLocalRefMapper,
|
|
SslLocalDerefMapper,
|
|
SslLocalGetIssuerList,
|
|
SslLocalGetChallenge,
|
|
SslLocalMapCredential,
|
|
SslLocalGetAccessToken,
|
|
SslLocalCloseLocator
|
|
};
|
|
|
|
MAPPER_VTABLE SslRemoteTable = {SslLocalRefMapper,
|
|
SslLocalDerefMapper,
|
|
SslLocalGetIssuerList,
|
|
SslLocalGetChallenge,
|
|
SslRemoteMapCredential,
|
|
SslLocalGetAccessToken,
|
|
SslLocalCloseLocator
|
|
};
|
|
|
|
|
|
MAPPER_VTABLE SslUserModeTable = {
|
|
SslLocalRefMapper,
|
|
SslLocalDerefMapper,
|
|
NULL,
|
|
NULL,
|
|
NULL,
|
|
SslLocalGetAccessToken,
|
|
SslLocalCloseLocator
|
|
};
|
|
|
|
|
|
typedef struct _SSL_MAPPER_CONTEXT {
|
|
HMAPPER Mapper ;
|
|
LONG Ref ;
|
|
|
|
} SSL_MAPPER_CONTEXT, * PSSL_MAPPER_CONTEXT ;
|
|
|
|
|
|
NTSTATUS
|
|
WINAPI
|
|
SslBuildCertLogonRequest(
|
|
PCCERT_CHAIN_CONTEXT pChainContext,
|
|
DWORD dwMethods,
|
|
PSSL_CERT_LOGON_REQ *ppRequest,
|
|
PDWORD pcbRequest);
|
|
|
|
NTSTATUS
|
|
WINAPI
|
|
SslMapCertAtDC(
|
|
PUNICODE_STRING DomainName,
|
|
VOID const *pCredential,
|
|
DWORD cbCredential,
|
|
PMSV1_0_PASSTHROUGH_RESPONSE * DcResponse
|
|
);
|
|
|
|
PWSTR SslDnsDomainName ;
|
|
SECURITY_STRING SslNullString = { 0, sizeof( WCHAR ), L"" };
|
|
|
|
|
|
PHMAPPER
|
|
SslGetMapper(
|
|
BOOL Ignored
|
|
)
|
|
{
|
|
PSSL_MAPPER_CONTEXT Context ;
|
|
NTSTATUS Status ;
|
|
NT_PRODUCT_TYPE ProductType ;
|
|
BOOL DC ;
|
|
|
|
if ( RtlGetNtProductType( &ProductType ) )
|
|
{
|
|
DC = (ProductType == NtProductLanManNt );
|
|
}
|
|
else
|
|
{
|
|
return NULL ;
|
|
}
|
|
|
|
Context = (PSSL_MAPPER_CONTEXT) SPExternalAlloc( sizeof( SSL_MAPPER_CONTEXT ) );
|
|
|
|
if ( Context )
|
|
{
|
|
Context->Mapper.m_dwMapperVersion = MAPPER_INTERFACE_VER ;
|
|
Context->Mapper.m_dwFlags = SCH_FLAG_SYSTEM_MAPPER ;
|
|
Context->Mapper.m_Reserved1 = NULL ;
|
|
|
|
Context->Ref = 0;
|
|
|
|
|
|
if ( DC )
|
|
{
|
|
Context->Mapper.m_vtable = &SslLocalTable ;
|
|
}
|
|
else
|
|
{
|
|
Context->Mapper.m_vtable = &SslRemoteTable ;
|
|
}
|
|
|
|
return &Context->Mapper ;
|
|
}
|
|
else
|
|
{
|
|
return NULL ;
|
|
}
|
|
}
|
|
|
|
|
|
LONG
|
|
WINAPI
|
|
SslLocalRefMapper(
|
|
PHMAPPER Mapper
|
|
)
|
|
{
|
|
PSSL_MAPPER_CONTEXT Context ;
|
|
|
|
Context = (PSSL_MAPPER_CONTEXT) Mapper ;
|
|
|
|
if ( Context == NULL )
|
|
{
|
|
return( -1 );
|
|
}
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Ref of Context %x\n", Mapper ));
|
|
|
|
return( InterlockedIncrement( &Context->Ref ) );
|
|
|
|
}
|
|
|
|
LONG
|
|
WINAPI
|
|
SslLocalDerefMapper(
|
|
PHMAPPER Mapper
|
|
)
|
|
{
|
|
PSSL_MAPPER_CONTEXT Context ;
|
|
DWORD RefCount;
|
|
|
|
Context = (PSSL_MAPPER_CONTEXT) Mapper ;
|
|
|
|
if ( Context == NULL )
|
|
{
|
|
return( -1 );
|
|
}
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Deref of Context %x\n", Mapper ));
|
|
|
|
RefCount = InterlockedDecrement( &Context->Ref );
|
|
|
|
if(RefCount == 0)
|
|
{
|
|
SPExternalFree(Context);
|
|
}
|
|
|
|
return RefCount;
|
|
}
|
|
|
|
DWORD
|
|
WINAPI
|
|
SslLocalGetIssuerList(
|
|
IN PHMAPPER Mapper,
|
|
IN PVOID Reserved,
|
|
OUT PBYTE pIssuerList,
|
|
OUT PDWORD IssuerListLength
|
|
)
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "GetIssuerList, context %x\n", Mapper ));
|
|
|
|
return( GetDefaultIssuers(pIssuerList, IssuerListLength) );
|
|
}
|
|
|
|
|
|
DWORD
|
|
WINAPI
|
|
SslLocalGetChallenge(
|
|
IN PHMAPPER Mapper,
|
|
IN PUCHAR AuthenticatorId,
|
|
IN DWORD AuthenticatorIdLength,
|
|
OUT PUCHAR Challenge,
|
|
OUT DWORD * ChallengeLength
|
|
)
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "GetChallenge, context %x\n", Mapper ));
|
|
|
|
return SEC_E_UNSUPPORTED_FUNCTION;
|
|
}
|
|
|
|
|
|
SECURITY_STATUS
|
|
SslCreateTokenFromPac(
|
|
PUCHAR AuthInfo,
|
|
ULONG AuthInfoLength,
|
|
PUNICODE_STRING Domain,
|
|
PLUID NewLogonId,
|
|
PHANDLE NewToken
|
|
)
|
|
{
|
|
NTSTATUS Status ;
|
|
PVOID TokenInfo ;
|
|
LSA_TOKEN_INFORMATION_TYPE TokenInfoType ;
|
|
PLSA_TOKEN_INFORMATION_V1 TokenV1 ;
|
|
PLSA_TOKEN_INFORMATION_NULL TokenNull ;
|
|
LUID LogonId ;
|
|
HANDLE TokenHandle ;
|
|
NTSTATUS SubStatus ;
|
|
SECURITY_STRING PacUserName ;
|
|
|
|
//
|
|
// Get the marshalled blob into a more useful form:
|
|
//
|
|
|
|
PacUserName.Buffer = NULL ;
|
|
|
|
Status = LsaTable->ConvertAuthDataToToken(
|
|
AuthInfo,
|
|
AuthInfoLength,
|
|
SecurityImpersonation,
|
|
&SslTokenSource,
|
|
Network,
|
|
Domain,
|
|
&TokenHandle,
|
|
&LogonId,
|
|
&PacUserName,
|
|
&SubStatus
|
|
);
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
LsaTable->AuditLogon(
|
|
STATUS_SUCCESS,
|
|
STATUS_SUCCESS,
|
|
&PacUserName,
|
|
Domain,
|
|
NULL,
|
|
NULL,
|
|
Network,
|
|
&SslTokenSource,
|
|
&LogonId );
|
|
}
|
|
else
|
|
{
|
|
LsaTable->AuditLogon(
|
|
Status,
|
|
Status,
|
|
&SslNullString,
|
|
&SslNullString,
|
|
NULL,
|
|
NULL,
|
|
Network,
|
|
&SslTokenSource,
|
|
&LogonId );
|
|
|
|
}
|
|
|
|
if ( !NT_SUCCESS( Status ) )
|
|
{
|
|
return Status ;
|
|
}
|
|
|
|
|
|
*NewToken = TokenHandle ;
|
|
*NewLogonId = LogonId ;
|
|
|
|
|
|
if ( PacUserName.Buffer )
|
|
{
|
|
LsaTable->FreeLsaHeap( PacUserName.Buffer );
|
|
}
|
|
|
|
return Status ;
|
|
}
|
|
|
|
#define ISSUER_HEADER L"<I>"
|
|
#define CCH_ISSUER_HEADER 3
|
|
#define SUBJECT_HEADER L"<S>"
|
|
#define CCH_SUBJECT_HEADER 3
|
|
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: SslGetNameFromCertificate
|
|
//
|
|
// Synopsis: Extracts the UPN name from the certificate
|
|
//
|
|
// Arguments: [pCert] --
|
|
// [ppszName] --
|
|
// [pfMachineCert] --
|
|
//
|
|
// History: 8-8-2000 jbanes Created
|
|
//
|
|
// Notes:
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
NTSTATUS
|
|
SslGetNameFromCertificate(
|
|
PCCERT_CONTEXT pCert,
|
|
PWSTR * ppszName,
|
|
BOOL * pfMachineCert)
|
|
{
|
|
ULONG ExtensionIndex;
|
|
PWSTR pszName;
|
|
DWORD cbName;
|
|
|
|
*pfMachineCert = FALSE;
|
|
|
|
//
|
|
// See if cert has UPN in AltSubjectName->otherName
|
|
//
|
|
|
|
pszName = NULL;
|
|
|
|
for(ExtensionIndex = 0;
|
|
ExtensionIndex < pCert->pCertInfo->cExtension;
|
|
ExtensionIndex++)
|
|
{
|
|
if(strcmp(pCert->pCertInfo->rgExtension[ExtensionIndex].pszObjId,
|
|
szOID_SUBJECT_ALT_NAME2) == 0)
|
|
{
|
|
PCERT_ALT_NAME_INFO AltName = NULL;
|
|
DWORD AltNameStructSize = 0;
|
|
ULONG CertAltNameIndex = 0;
|
|
|
|
if(CryptDecodeObjectEx(pCert->dwCertEncodingType,
|
|
X509_ALTERNATE_NAME,
|
|
pCert->pCertInfo->rgExtension[ExtensionIndex].Value.pbData,
|
|
pCert->pCertInfo->rgExtension[ExtensionIndex].Value.cbData,
|
|
CRYPT_DECODE_ALLOC_FLAG,
|
|
NULL,
|
|
(PVOID)&AltName,
|
|
&AltNameStructSize))
|
|
{
|
|
|
|
for(CertAltNameIndex = 0; CertAltNameIndex < AltName->cAltEntry; CertAltNameIndex++)
|
|
{
|
|
PCERT_ALT_NAME_ENTRY AltNameEntry = &AltName->rgAltEntry[CertAltNameIndex];
|
|
|
|
if((CERT_ALT_NAME_OTHER_NAME == AltNameEntry->dwAltNameChoice) &&
|
|
(NULL != AltNameEntry->pOtherName) &&
|
|
(0 == strcmp(szOID_NT_PRINCIPAL_NAME, AltNameEntry->pOtherName->pszObjId)))
|
|
{
|
|
PCERT_NAME_VALUE PrincipalNameBlob = NULL;
|
|
DWORD PrincipalNameBlobSize = 0;
|
|
|
|
// We found a UPN!
|
|
if(CryptDecodeObjectEx(pCert->dwCertEncodingType,
|
|
X509_UNICODE_ANY_STRING,
|
|
AltNameEntry->pOtherName->Value.pbData,
|
|
AltNameEntry->pOtherName->Value.cbData,
|
|
CRYPT_DECODE_ALLOC_FLAG,
|
|
NULL,
|
|
(PVOID)&PrincipalNameBlob,
|
|
&PrincipalNameBlobSize))
|
|
{
|
|
pszName = LocalAlloc(LPTR, PrincipalNameBlob->Value.cbData + sizeof(WCHAR));
|
|
if(pszName != NULL)
|
|
{
|
|
CopyMemory(pszName, PrincipalNameBlob->Value.pbData, PrincipalNameBlob->Value.cbData);
|
|
}
|
|
|
|
LocalFree(PrincipalNameBlob);
|
|
PrincipalNameBlob = NULL;
|
|
|
|
if(pszName == NULL)
|
|
{
|
|
LocalFree(AltName);
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
}
|
|
if(pszName)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
LocalFree(AltName);
|
|
AltName = NULL;
|
|
|
|
if(pszName)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// See if cert has DNS in AltSubjectName->pwszDNSName
|
|
//
|
|
|
|
if(pszName == NULL)
|
|
{
|
|
for(ExtensionIndex = 0;
|
|
ExtensionIndex < pCert->pCertInfo->cExtension;
|
|
ExtensionIndex++)
|
|
{
|
|
if(strcmp(pCert->pCertInfo->rgExtension[ExtensionIndex].pszObjId,
|
|
szOID_SUBJECT_ALT_NAME2) == 0)
|
|
{
|
|
PCERT_ALT_NAME_INFO AltName = NULL;
|
|
DWORD AltNameStructSize = 0;
|
|
ULONG CertAltNameIndex = 0;
|
|
|
|
if(CryptDecodeObjectEx(pCert->dwCertEncodingType,
|
|
X509_ALTERNATE_NAME,
|
|
pCert->pCertInfo->rgExtension[ExtensionIndex].Value.pbData,
|
|
pCert->pCertInfo->rgExtension[ExtensionIndex].Value.cbData,
|
|
CRYPT_DECODE_ALLOC_FLAG,
|
|
NULL,
|
|
(PVOID)&AltName,
|
|
&AltNameStructSize))
|
|
{
|
|
|
|
for(CertAltNameIndex = 0; CertAltNameIndex < AltName->cAltEntry; CertAltNameIndex++)
|
|
{
|
|
PCERT_ALT_NAME_ENTRY AltNameEntry = &AltName->rgAltEntry[CertAltNameIndex];
|
|
|
|
if((CERT_ALT_NAME_DNS_NAME == AltNameEntry->dwAltNameChoice) &&
|
|
(NULL != AltNameEntry->pwszDNSName))
|
|
{
|
|
PCERT_NAME_VALUE PrincipalNameBlob = NULL;
|
|
DWORD PrincipalNameBlobSize = 0;
|
|
|
|
// We found a DNS!
|
|
cbName = (wcslen(AltNameEntry->pwszDNSName) + 1) * sizeof(WCHAR);
|
|
|
|
pszName = LocalAlloc(LPTR, cbName);
|
|
if(pszName == NULL)
|
|
{
|
|
LocalFree(AltName);
|
|
return STATUS_NO_MEMORY;
|
|
}
|
|
|
|
CopyMemory(pszName, AltNameEntry->pwszDNSName, cbName);
|
|
*pfMachineCert = TRUE;
|
|
break;
|
|
}
|
|
}
|
|
LocalFree(AltName);
|
|
AltName = NULL;
|
|
|
|
if(pszName)
|
|
{
|
|
break;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
//
|
|
// There was no UPN in the AltSubjectName, so look for
|
|
// one in the Subject Name, in case this is a B3 compatability
|
|
// cert.
|
|
//
|
|
|
|
if(pszName == NULL)
|
|
{
|
|
ULONG Length;
|
|
|
|
Length = CertGetNameString( pCert,
|
|
CERT_NAME_ATTR_TYPE,
|
|
0,
|
|
szOID_COMMON_NAME,
|
|
NULL,
|
|
0 );
|
|
|
|
if(Length)
|
|
{
|
|
pszName = LocalAlloc(LPTR, Length * sizeof(WCHAR));
|
|
|
|
if(!pszName)
|
|
{
|
|
return STATUS_NO_MEMORY ;
|
|
}
|
|
|
|
if ( !CertGetNameStringW(pCert,
|
|
CERT_NAME_ATTR_TYPE,
|
|
0,
|
|
szOID_COMMON_NAME,
|
|
pszName,
|
|
Length))
|
|
{
|
|
return GetLastError();
|
|
}
|
|
}
|
|
}
|
|
|
|
|
|
if(pszName)
|
|
{
|
|
*ppszName = pszName;
|
|
}
|
|
else
|
|
{
|
|
return STATUS_NOT_FOUND;
|
|
}
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: SslTryUpn
|
|
//
|
|
// Synopsis: Tries to find the user by UPN encoded in Cert
|
|
//
|
|
// Arguments: [User] --
|
|
// [AuthData] --
|
|
// [AuthDataLen] --
|
|
//
|
|
// History: 5-11-98 RichardW Created
|
|
//
|
|
// Notes:
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
NTSTATUS
|
|
SslTryUpn(
|
|
PCCERT_CONTEXT User,
|
|
PUCHAR * AuthData,
|
|
PULONG AuthDataLen,
|
|
PWSTR * ReferencedDomain
|
|
)
|
|
{
|
|
NTSTATUS Status ;
|
|
UNICODE_STRING Upn = {0, 0, NULL};
|
|
UNICODE_STRING Cracked = {0};
|
|
UNICODE_STRING DnsDomain = {0};
|
|
UNICODE_STRING FlatName = { 0 };
|
|
ULONG SubStatus ;
|
|
BOOL fMachineCert;
|
|
PWSTR pszName = NULL;
|
|
|
|
|
|
*ReferencedDomain = NULL ;
|
|
|
|
|
|
//
|
|
// Get the client name from the cert
|
|
//
|
|
|
|
Status = SslGetNameFromCertificate(User, &pszName, &fMachineCert);
|
|
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
return Status;
|
|
}
|
|
|
|
|
|
//
|
|
// now, try and find this guy:
|
|
//
|
|
|
|
if(fMachineCert)
|
|
{
|
|
Status = STATUS_NOT_FOUND;
|
|
}
|
|
else
|
|
{
|
|
// Search for "[email protected]".
|
|
Upn.Buffer = pszName;
|
|
Upn.Length = wcslen(Upn.Buffer) * sizeof(WCHAR);
|
|
Upn.MaximumLength = Upn.Length + sizeof(WCHAR);
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Looking for UPN name %ws\n", Upn.Buffer ));
|
|
|
|
Status = LsaTable->GetAuthDataForUser( &Upn,
|
|
SecNameFlat,
|
|
NULL,
|
|
AuthData,
|
|
AuthDataLen,
|
|
&FlatName );
|
|
|
|
if ( FlatName.Length )
|
|
{
|
|
LsaTable->AuditAccountLogon(
|
|
SE_AUDITID_ACCOUNT_MAPPED,
|
|
(BOOLEAN) NT_SUCCESS( Status ),
|
|
&SslPackageName,
|
|
&Upn,
|
|
&FlatName,
|
|
Status );
|
|
|
|
LsaTable->FreeLsaHeap( FlatName.Buffer );
|
|
}
|
|
}
|
|
|
|
|
|
if ( Status == STATUS_NOT_FOUND )
|
|
{
|
|
//
|
|
// Do the hacky check of seeing if this is our own domain, and
|
|
// if so, try opening the user as a flat, SAM name.
|
|
//
|
|
|
|
if(fMachineCert)
|
|
{
|
|
PWSTR pPeriod;
|
|
WCHAR ch;
|
|
|
|
pPeriod = wcschr( pszName, L'.' );
|
|
|
|
if(pPeriod)
|
|
{
|
|
if ( DnsNameCompare_W( (pPeriod+1), SslDnsDomainName ) )
|
|
{
|
|
ch = *(pPeriod + 1);
|
|
|
|
*pPeriod = L'$';
|
|
*(pPeriod + 1) = L'\0';
|
|
|
|
Upn.Buffer = pszName;
|
|
Upn.Length = wcslen( Upn.Buffer ) * sizeof( WCHAR );
|
|
Upn.MaximumLength = Upn.Length + sizeof(WCHAR);
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Looking for machine name %ws\n", Upn.Buffer ));
|
|
|
|
// Search for "computer$".
|
|
Status = LsaTable->GetAuthDataForUser( &Upn,
|
|
SecNameSamCompatible,
|
|
NULL,
|
|
AuthData,
|
|
AuthDataLen,
|
|
NULL );
|
|
|
|
*pPeriod = L'.';
|
|
*(pPeriod + 1) = ch;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
PWSTR AtSign;
|
|
|
|
AtSign = wcschr( pszName, L'@' );
|
|
|
|
if ( AtSign )
|
|
{
|
|
if ( DnsNameCompare_W( (AtSign+1), SslDnsDomainName ) )
|
|
{
|
|
*AtSign = L'\0';
|
|
|
|
Upn.Buffer = pszName;
|
|
Upn.Length = wcslen( Upn.Buffer ) * sizeof( WCHAR );
|
|
Upn.MaximumLength = Upn.Length + sizeof(WCHAR);
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Looking for user name %ws\n", Upn.Buffer ));
|
|
|
|
// Search for "username".
|
|
Status = LsaTable->GetAuthDataForUser( &Upn,
|
|
SecNameSamCompatible,
|
|
NULL,
|
|
AuthData,
|
|
AuthDataLen,
|
|
NULL );
|
|
|
|
*AtSign = L'@';
|
|
}
|
|
}
|
|
}
|
|
|
|
if (Status == STATUS_NOT_FOUND )
|
|
{
|
|
Upn.Buffer = pszName;
|
|
Upn.Length = wcslen(Upn.Buffer) * sizeof(WCHAR);
|
|
Upn.MaximumLength = Upn.Length + sizeof(WCHAR);
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Cracking name %ws at GC\n", Upn.Buffer ));
|
|
|
|
Status = LsaTable->CrackSingleName(
|
|
DS_USER_PRINCIPAL_NAME,
|
|
TRUE,
|
|
&Upn,
|
|
NULL,
|
|
DS_NT4_ACCOUNT_NAME,
|
|
&Cracked,
|
|
&DnsDomain,
|
|
&SubStatus );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
if ( SubStatus == 0 )
|
|
{
|
|
*ReferencedDomain = DnsDomain.Buffer ;
|
|
DnsDomain.Buffer = NULL;
|
|
}
|
|
|
|
if(Cracked.Buffer != NULL)
|
|
{
|
|
LsaTable->FreeLsaHeap( Cracked.Buffer );
|
|
}
|
|
if(DnsDomain.Buffer != NULL)
|
|
{
|
|
LsaTable->FreeLsaHeap( DnsDomain.Buffer );
|
|
}
|
|
|
|
Status = STATUS_NOT_FOUND ;
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if(pszName)
|
|
{
|
|
LocalFree(pszName);
|
|
}
|
|
|
|
return Status ;
|
|
}
|
|
|
|
|
|
|
|
void
|
|
ConvertNameString(UNICODE_STRING *Name)
|
|
{
|
|
PWSTR Comma1, Comma2;
|
|
|
|
//
|
|
// Scan through the name, converting "\r\n" to ",". This should be
|
|
// done by the CertNameToStr APIs, but that won't happen for a while.
|
|
//
|
|
|
|
Comma1 = Comma2 = Name->Buffer ;
|
|
while ( *Comma2 )
|
|
{
|
|
*Comma1 = *Comma2 ;
|
|
|
|
if ( *Comma2 == L'\r' )
|
|
{
|
|
if ( *(Comma2 + 1) == L'\n' )
|
|
{
|
|
*Comma1 = L',';
|
|
Comma2++ ;
|
|
}
|
|
}
|
|
|
|
Comma1++;
|
|
Comma2++;
|
|
}
|
|
|
|
*Comma1 = L'\0';
|
|
|
|
Name->Length = wcslen( Name->Buffer ) * sizeof( WCHAR );
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: SslTryCompoundName
|
|
//
|
|
// Synopsis: Tries to find the user by concatenating the issuer and subject
|
|
// names, and looking for an AlternateSecurityId.
|
|
//
|
|
// Arguments: [User] --
|
|
// [AuthData] --
|
|
// [AuthDataLen] --
|
|
//
|
|
// History: 5-11-98 RichardW Created
|
|
//
|
|
// Notes:
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
NTSTATUS
|
|
SslTryCompoundName(
|
|
PCCERT_CONTEXT User,
|
|
PUCHAR * AuthData,
|
|
PULONG AuthDataLen,
|
|
PWSTR * ReferencedDomain
|
|
)
|
|
{
|
|
UNICODE_STRING CompoundName ;
|
|
ULONG Length ;
|
|
ULONG IssuerLength ;
|
|
NTSTATUS Status ;
|
|
PWSTR Current ;
|
|
PWSTR Comma1, Comma2 ;
|
|
UNICODE_STRING Cracked = {0};
|
|
UNICODE_STRING DnsDomain = {0};
|
|
UNICODE_STRING FlatName = { 0 };
|
|
ULONG SubStatus ;
|
|
const DWORD dwNameToStrFlags = CERT_X500_NAME_STR |
|
|
CERT_NAME_STR_NO_PLUS_FLAG |
|
|
CERT_NAME_STR_CRLF_FLAG;
|
|
|
|
*ReferencedDomain = NULL ;
|
|
|
|
IssuerLength = CertNameToStr( User->dwCertEncodingType,
|
|
&User->pCertInfo->Issuer,
|
|
dwNameToStrFlags,
|
|
NULL,
|
|
0 );
|
|
|
|
Length = CertNameToStr( User->dwCertEncodingType,
|
|
&User->pCertInfo->Subject,
|
|
dwNameToStrFlags,
|
|
NULL,
|
|
0 );
|
|
|
|
if ( ( IssuerLength == 0 ) ||
|
|
( Length == 0 ) )
|
|
{
|
|
return STATUS_NO_MEMORY ;
|
|
}
|
|
|
|
CompoundName.MaximumLength = (USHORT) (Length + IssuerLength +
|
|
CCH_ISSUER_HEADER + CCH_SUBJECT_HEADER) *
|
|
sizeof( WCHAR ) ;
|
|
|
|
CompoundName.Buffer = LocalAlloc( LMEM_FIXED, CompoundName.MaximumLength );
|
|
|
|
if ( CompoundName.Buffer )
|
|
{
|
|
wcscpy( CompoundName.Buffer, ISSUER_HEADER );
|
|
Current = CompoundName.Buffer + CCH_ISSUER_HEADER ;
|
|
|
|
IssuerLength = CertNameToStrW( User->dwCertEncodingType,
|
|
&User->pCertInfo->Issuer,
|
|
dwNameToStrFlags,
|
|
Current,
|
|
IssuerLength );
|
|
|
|
Current += IssuerLength - 1 ;
|
|
wcscpy( Current, SUBJECT_HEADER );
|
|
Current += CCH_SUBJECT_HEADER ;
|
|
|
|
Length = CertNameToStrW( User->dwCertEncodingType,
|
|
&User->pCertInfo->Subject,
|
|
dwNameToStrFlags,
|
|
Current,
|
|
Length );
|
|
|
|
ConvertNameString(&CompoundName);
|
|
|
|
Status = LsaTable->GetAuthDataForUser( &CompoundName,
|
|
SecNameAlternateId,
|
|
&SslNamePrefix,
|
|
AuthData,
|
|
AuthDataLen,
|
|
&FlatName );
|
|
|
|
if ( FlatName.Length )
|
|
{
|
|
LsaTable->AuditAccountLogon(
|
|
SE_AUDITID_ACCOUNT_MAPPED,
|
|
(BOOLEAN) NT_SUCCESS( Status ),
|
|
&SslPackageName,
|
|
&CompoundName,
|
|
&FlatName,
|
|
Status );
|
|
|
|
LsaTable->FreeLsaHeap( FlatName.Buffer );
|
|
}
|
|
|
|
if ( Status == STATUS_NOT_FOUND )
|
|
{
|
|
Status = LsaTable->CrackSingleName(
|
|
DS_ALT_SECURITY_IDENTITIES_NAME,
|
|
TRUE,
|
|
&CompoundName,
|
|
&SslNamePrefix,
|
|
DS_NT4_ACCOUNT_NAME,
|
|
&Cracked,
|
|
&DnsDomain,
|
|
&SubStatus );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
if ( SubStatus == 0 )
|
|
{
|
|
*ReferencedDomain = DnsDomain.Buffer ;
|
|
DnsDomain.Buffer = NULL;
|
|
}
|
|
|
|
if(Cracked.Buffer != NULL)
|
|
{
|
|
LsaTable->FreeLsaHeap( Cracked.Buffer );
|
|
}
|
|
if(DnsDomain.Buffer != NULL)
|
|
{
|
|
LsaTable->FreeLsaHeap( DnsDomain.Buffer );
|
|
}
|
|
|
|
Status = STATUS_NOT_FOUND ;
|
|
}
|
|
|
|
}
|
|
|
|
LocalFree( CompoundName.Buffer );
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_NO_MEMORY ;
|
|
}
|
|
|
|
return Status ;
|
|
|
|
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: SslTryIssuer
|
|
//
|
|
// Synopsis: Tries to find a user that has an issuer mapped to it.
|
|
//
|
|
// Arguments: [User] --
|
|
// [AuthData] --
|
|
// [AuthDataLen] --
|
|
//
|
|
// History: 5-11-98 RichardW Created
|
|
//
|
|
// Notes:
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
NTSTATUS
|
|
SslTryIssuer(
|
|
PBYTE pIssuer,
|
|
DWORD cbIssuer,
|
|
PUCHAR * AuthData,
|
|
PULONG AuthDataLen,
|
|
PWSTR * ReferencedDomain
|
|
)
|
|
{
|
|
UNICODE_STRING IssuerName ;
|
|
ULONG IssuerLength ;
|
|
NTSTATUS Status ;
|
|
UNICODE_STRING Cracked = { 0 };
|
|
UNICODE_STRING DnsDomain = { 0 };
|
|
UNICODE_STRING FlatName = { 0 };
|
|
ULONG SubStatus ;
|
|
const DWORD dwNameToStrFlags = CERT_X500_NAME_STR |
|
|
CERT_NAME_STR_NO_PLUS_FLAG |
|
|
CERT_NAME_STR_CRLF_FLAG;
|
|
CERT_NAME_BLOB Issuer;
|
|
|
|
*ReferencedDomain = NULL ;
|
|
|
|
Issuer.pbData = pIssuer;
|
|
Issuer.cbData = cbIssuer;
|
|
|
|
IssuerLength = CertNameToStr( CRYPT_ASN_ENCODING,
|
|
&Issuer,
|
|
dwNameToStrFlags,
|
|
NULL,
|
|
0 );
|
|
|
|
if ( IssuerLength == 0 )
|
|
{
|
|
return STATUS_NO_MEMORY ;
|
|
}
|
|
|
|
IssuerName.MaximumLength = (USHORT)(CCH_ISSUER_HEADER + IssuerLength) * sizeof( WCHAR ) ;
|
|
|
|
IssuerName.Buffer = LocalAlloc( LMEM_FIXED, IssuerName.MaximumLength );
|
|
|
|
if ( IssuerName.Buffer )
|
|
{
|
|
wcscpy( IssuerName.Buffer, ISSUER_HEADER );
|
|
|
|
IssuerLength = CertNameToStrW(CRYPT_ASN_ENCODING,
|
|
&Issuer,
|
|
dwNameToStrFlags,
|
|
IssuerName.Buffer + CCH_ISSUER_HEADER,
|
|
IssuerLength );
|
|
|
|
ConvertNameString(&IssuerName);
|
|
|
|
|
|
|
|
Status = LsaTable->GetAuthDataForUser( &IssuerName,
|
|
SecNameAlternateId,
|
|
&SslNamePrefix,
|
|
AuthData,
|
|
AuthDataLen,
|
|
&FlatName );
|
|
|
|
if ( FlatName.Length )
|
|
{
|
|
LsaTable->AuditAccountLogon(
|
|
SE_AUDITID_ACCOUNT_MAPPED,
|
|
(BOOLEAN) NT_SUCCESS( Status ),
|
|
&SslPackageName,
|
|
&IssuerName,
|
|
&FlatName,
|
|
Status );
|
|
|
|
LsaTable->FreeLsaHeap( FlatName.Buffer );
|
|
}
|
|
|
|
if ( Status == STATUS_NOT_FOUND )
|
|
{
|
|
Status = LsaTable->CrackSingleName(
|
|
DS_ALT_SECURITY_IDENTITIES_NAME,
|
|
TRUE,
|
|
&IssuerName,
|
|
&SslNamePrefix,
|
|
DS_NT4_ACCOUNT_NAME,
|
|
&Cracked,
|
|
&DnsDomain,
|
|
&SubStatus );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
if ( SubStatus == 0 )
|
|
{
|
|
*ReferencedDomain = DnsDomain.Buffer ;
|
|
DnsDomain.Buffer = NULL;
|
|
}
|
|
|
|
if(Cracked.Buffer != NULL)
|
|
{
|
|
LsaTable->FreeLsaHeap( Cracked.Buffer );
|
|
}
|
|
if(DnsDomain.Buffer != NULL)
|
|
{
|
|
LsaTable->FreeLsaHeap( DnsDomain.Buffer );
|
|
}
|
|
|
|
Status = STATUS_NOT_FOUND ;
|
|
}
|
|
|
|
}
|
|
|
|
LocalFree(IssuerName.Buffer);
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_NO_MEMORY ;
|
|
}
|
|
|
|
return Status ;
|
|
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: SslMapCertToUserPac
|
|
//
|
|
// Synopsis: Maps a certificate to a user (hopefully) and the PAC,
|
|
//
|
|
// Arguments: [Request] --
|
|
// [UserPac] --
|
|
// [UserPacLen] --
|
|
//
|
|
// History: 5-11-98 RichardW Created
|
|
//
|
|
// Notes:
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
NTSTATUS
|
|
SslMapCertToUserPac(
|
|
IN PSSL_CERT_LOGON_REQ Request,
|
|
OUT PUCHAR * UserPac,
|
|
OUT PULONG UserPacLen,
|
|
OUT PWSTR * ReferencedDomain
|
|
)
|
|
{
|
|
PCCERT_CONTEXT User ;
|
|
NTSTATUS Status = STATUS_LOGON_FAILURE;
|
|
NTSTATUS SubStatus = STATUS_NOT_FOUND;
|
|
UNICODE_STRING UserName ;
|
|
HANDLE UserHandle ;
|
|
ULONG i;
|
|
|
|
*ReferencedDomain = NULL;
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslMapCertToUserPac called\n" ));
|
|
|
|
User = CertCreateCertificateContext( X509_ASN_ENCODING,
|
|
(PBYTE)Request + Request->OffsetCertificate,
|
|
Request->CertLength );
|
|
|
|
if ( !User )
|
|
{
|
|
Status = STATUS_NO_MEMORY ;
|
|
|
|
goto Cleanup ;
|
|
}
|
|
|
|
|
|
//
|
|
// First, try the UPN
|
|
//
|
|
|
|
|
|
if(Request->Flags & REQ_UPN_MAPPING)
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "Trying UPN mapping\n" ));
|
|
|
|
Status = SslTryUpn( User,
|
|
UserPac,
|
|
UserPacLen,
|
|
ReferencedDomain );
|
|
|
|
if ( NT_SUCCESS( Status ) ||
|
|
( *ReferencedDomain ) )
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Failed with error 0x%x\n", Status ));
|
|
}
|
|
|
|
|
|
//
|
|
// Swing and a miss. Try the constructed issuer+subject name
|
|
//
|
|
|
|
|
|
if(Request->Flags & REQ_SUBJECT_MAPPING)
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "Trying Subject mapping\n" ));
|
|
|
|
Status = SslTryCompoundName( User,
|
|
UserPac,
|
|
UserPacLen,
|
|
ReferencedDomain );
|
|
|
|
if ( NT_SUCCESS( Status ) ||
|
|
( *ReferencedDomain ) )
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Failed with error 0x%x\n", Status ));
|
|
|
|
// Return error code from issuer+subject name mapping
|
|
// in preference to the error code from many-to-one mapping.
|
|
SubStatus = Status;
|
|
}
|
|
|
|
|
|
//
|
|
// Strike two. Try the issuer for a many-to-one mapping:
|
|
//
|
|
|
|
if(Request->Flags & REQ_ISSUER_MAPPING)
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "Trying issuer mapping\n" ));
|
|
|
|
if(Request->Flags & REQ_ISSUER_CHAIN_MAPPING)
|
|
{
|
|
// Loop through each issuer in the certificate chain.
|
|
for(i = 0; i < Request->CertCount; i++)
|
|
{
|
|
Status = SslTryIssuer( (PBYTE)Request + Request->NameInfo[i].IssuerOffset,
|
|
Request->NameInfo[i].IssuerLength,
|
|
UserPac,
|
|
UserPacLen,
|
|
ReferencedDomain );
|
|
|
|
if ( NT_SUCCESS( Status ) ||
|
|
( *ReferencedDomain ) )
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
}
|
|
else
|
|
{
|
|
// Extract the issuer name from the certificate and try
|
|
// to map it.
|
|
Status = SslTryIssuer( User->pCertInfo->Issuer.pbData,
|
|
User->pCertInfo->Issuer.cbData,
|
|
UserPac,
|
|
UserPacLen,
|
|
ReferencedDomain );
|
|
|
|
if ( NT_SUCCESS( Status ) ||
|
|
( *ReferencedDomain ) )
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Failed with error 0x%x\n", Status ));
|
|
}
|
|
|
|
|
|
//
|
|
// Certificate mapping failed. Decide what error code to return.
|
|
//
|
|
|
|
if(Status == STATUS_OBJECT_NAME_COLLISION ||
|
|
SubStatus == STATUS_OBJECT_NAME_COLLISION)
|
|
{
|
|
Status = SEC_E_MULTIPLE_ACCOUNTS;
|
|
}
|
|
else if(Status != STATUS_NO_MEMORY)
|
|
{
|
|
Status = STATUS_LOGON_FAILURE ;
|
|
}
|
|
|
|
|
|
Cleanup:
|
|
|
|
if ( User )
|
|
{
|
|
CertFreeCertificateContext( User );
|
|
}
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslMapCertToUserPac returned 0x%x\n", Status ));
|
|
|
|
return Status ;
|
|
}
|
|
|
|
|
|
DWORD
|
|
WINAPI
|
|
MapperVerifyClientChain(
|
|
PCCERT_CONTEXT pCertContext,
|
|
DWORD dwMapperFlags,
|
|
DWORD * pdwMethods,
|
|
NTSTATUS * pVerifyStatus,
|
|
PCCERT_CHAIN_CONTEXT *ppChainContext) // optional
|
|
{
|
|
DWORD dwCertFlags = 0;
|
|
DWORD dwIgnoreErrors = 0;
|
|
NTSTATUS Status;
|
|
|
|
*pdwMethods = 0;
|
|
*pVerifyStatus = STATUS_SUCCESS;
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Checking to see if cert is verified.\n" ));
|
|
|
|
if(dwMapperFlags & SCH_FLAG_REVCHECK_END_CERT)
|
|
dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_END_CERT;
|
|
if(dwMapperFlags & SCH_FLAG_REVCHECK_CHAIN)
|
|
dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN;
|
|
if(dwMapperFlags & SCH_FLAG_REVCHECK_CHAIN_EXCLUDE_ROOT)
|
|
dwCertFlags |= CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT;
|
|
if(dwMapperFlags & SCH_FLAG_IGNORE_NO_REVOCATION_CHECK)
|
|
dwIgnoreErrors |= CRED_FLAG_IGNORE_NO_REVOCATION_CHECK;
|
|
if(dwMapperFlags & SCH_FLAG_IGNORE_REVOCATION_OFFLINE)
|
|
dwIgnoreErrors |= CRED_FLAG_IGNORE_REVOCATION_OFFLINE;
|
|
|
|
|
|
// Check to see if the certificate chain is properly signed all the way
|
|
// up and that we trust the issuer of the root certificate.
|
|
Status = VerifyClientCertificate(pCertContext,
|
|
dwCertFlags,
|
|
dwIgnoreErrors,
|
|
CERT_CHAIN_POLICY_SSL,
|
|
ppChainContext);
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN, "Client certificate failed to verify with SSL policy (0x%x)\n", Status));
|
|
LogBogusClientCertEvent(pCertContext, Status);
|
|
return Status;
|
|
}
|
|
|
|
// Turn on Subject and Issuer mapping.
|
|
*pdwMethods |= REQ_SUBJECT_MAPPING | REQ_ISSUER_MAPPING;
|
|
|
|
|
|
// Check to see if the certificate chain is valid for UPN mapping.
|
|
Status = VerifyClientCertificate(pCertContext,
|
|
dwCertFlags,
|
|
dwIgnoreErrors,
|
|
CERT_CHAIN_POLICY_NT_AUTH,
|
|
NULL);
|
|
if(NT_SUCCESS(Status))
|
|
{
|
|
// Turn on UPN mapping.
|
|
*pdwMethods |= REQ_UPN_MAPPING;
|
|
}
|
|
else
|
|
{
|
|
DebugLog((DEB_WARN, "Client certificate failed to verify with NT_AUTH policy (0x%x)\n", Status));
|
|
LogFastMappingFailureEvent(pCertContext, Status);
|
|
*pVerifyStatus = Status;
|
|
}
|
|
|
|
DebugLog((DEB_TRACE, "Client certificate verified with methods: 0x%x\n", *pdwMethods));
|
|
|
|
return SEC_E_OK;
|
|
}
|
|
|
|
|
|
DWORD
|
|
WINAPI
|
|
SslLocalMapCredential(
|
|
IN PHMAPPER Mapper,
|
|
IN DWORD CredentialType,
|
|
VOID const *pCredential,
|
|
VOID const *pAuthority,
|
|
OUT HLOCATOR * phLocator
|
|
)
|
|
{
|
|
PCCERT_CONTEXT pCert = (PCERT_CONTEXT)pCredential;
|
|
PMSV1_0_PASSTHROUGH_RESPONSE Response = NULL ;
|
|
PSSL_CERT_LOGON_REQ pRequest = NULL;
|
|
PSSL_CERT_LOGON_RESP CertResp ;
|
|
DWORD cbRequest;
|
|
PUCHAR Pac = NULL ;
|
|
ULONG PacLength ;
|
|
PUCHAR ExpandedPac = NULL ;
|
|
ULONG ExpandedPacLength ;
|
|
NTSTATUS Status ;
|
|
NTSTATUS VerifyStatus ;
|
|
HANDLE Token ;
|
|
LUID LogonId ;
|
|
DWORD dwMethods ;
|
|
PWSTR ReferencedDomain ;
|
|
UNICODE_STRING DomainName ;
|
|
UNICODE_STRING AccountDomain = { 0 };
|
|
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslLocalMapCredential, context %x\n", Mapper ));
|
|
|
|
if ( CredentialType != X509_ASN_CHAIN )
|
|
{
|
|
return( SEC_E_UNKNOWN_CREDENTIALS );
|
|
}
|
|
|
|
//
|
|
// Validate client certificate, and obtain pointer to
|
|
// entire certificate chain.
|
|
//
|
|
|
|
Status = MapperVerifyClientChain(pCert,
|
|
Mapper->m_dwFlags,
|
|
&dwMethods,
|
|
&VerifyStatus,
|
|
&pChainContext);
|
|
if(FAILED(Status))
|
|
{
|
|
return Status;
|
|
}
|
|
|
|
|
|
//
|
|
// Build the logon request.
|
|
//
|
|
|
|
Status = SslBuildCertLogonRequest(pChainContext,
|
|
dwMethods,
|
|
&pRequest,
|
|
&cbRequest);
|
|
|
|
CertFreeCertificateChain(pChainContext);
|
|
pChainContext = NULL;
|
|
|
|
if(FAILED(Status))
|
|
{
|
|
return Status;
|
|
}
|
|
|
|
|
|
Status = SslMapCertToUserPac(
|
|
pRequest,
|
|
&Pac,
|
|
&PacLength,
|
|
&ReferencedDomain );
|
|
|
|
if ( !NT_SUCCESS( Status ) &&
|
|
( ReferencedDomain != NULL ) )
|
|
{
|
|
//
|
|
// Didn't find it at this DC, but another domain appears to
|
|
// have the mapping. Forward it there:
|
|
//
|
|
|
|
RtlInitUnicodeString( &DomainName, ReferencedDomain );
|
|
|
|
Status = SslMapCertAtDC(
|
|
&DomainName,
|
|
pRequest,
|
|
pRequest->Length,
|
|
&Response );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
CertResp = (PSSL_CERT_LOGON_RESP) Response->ValidationData ;
|
|
Pac = (((PUCHAR) CertResp) + CertResp->OffsetAuthData);
|
|
PacLength = CertResp->AuthDataLength ;
|
|
|
|
//
|
|
// older servers (pre 2010 or so) won't return the full structure,
|
|
// so we need to examine it carefully.
|
|
|
|
if ( CertResp->Length - CertResp->AuthDataLength <= sizeof( SSL_CERT_LOGON_RESP ))
|
|
{
|
|
AccountDomain = SslDomainName ;
|
|
}
|
|
else
|
|
{
|
|
if ( CertResp->DomainLength < 65536 )
|
|
{
|
|
AccountDomain.Length = (USHORT) CertResp->DomainLength ;
|
|
AccountDomain.MaximumLength = AccountDomain.Length ;
|
|
AccountDomain.Buffer = (PWSTR) (((PUCHAR) CertResp) + CertResp->OffsetDomain );
|
|
}
|
|
else
|
|
{
|
|
AccountDomain = SslDomainName ;
|
|
}
|
|
}
|
|
}
|
|
|
|
LsaTable->FreeLsaHeap( ReferencedDomain );
|
|
|
|
}
|
|
else
|
|
{
|
|
AccountDomain = SslDomainName ;
|
|
}
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
Status = LsaTable->ExpandAuthDataForDomain(
|
|
Pac,
|
|
PacLength,
|
|
NULL,
|
|
&ExpandedPac,
|
|
&ExpandedPacLength );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
//
|
|
// Since we're about to replace the PAC
|
|
// pointer, determine if we got it indirectly
|
|
// (in the response from a remote server)
|
|
// or directly from this DC
|
|
//
|
|
|
|
if ( Response == NULL )
|
|
{
|
|
//
|
|
// This is a direct one. Free the old
|
|
// copy
|
|
//
|
|
|
|
LsaTable->FreeLsaHeap( Pac );
|
|
}
|
|
|
|
Pac = ExpandedPac ;
|
|
PacLength = ExpandedPacLength ;
|
|
|
|
if ( Response == NULL )
|
|
{
|
|
//
|
|
// If we don't have a response, then the pac
|
|
// will get freed. If it is out of the response
|
|
// then leave it set, and it will be caught in
|
|
// the cleanup.
|
|
//
|
|
|
|
ExpandedPac = NULL ;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
|
|
|
|
VerifyStatus = STATUS_SUCCESS;
|
|
|
|
Status = SslCreateTokenFromPac( Pac,
|
|
PacLength,
|
|
&AccountDomain,
|
|
&LogonId,
|
|
&Token );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
*phLocator = (HLOCATOR) Token ;
|
|
}
|
|
|
|
|
|
}
|
|
|
|
if(pRequest)
|
|
{
|
|
LocalFree(pRequest);
|
|
}
|
|
|
|
if ( Response )
|
|
{
|
|
LsaTable->FreeReturnBuffer( Response );
|
|
}
|
|
else
|
|
{
|
|
LsaTable->FreeLsaHeap( Pac );
|
|
}
|
|
|
|
if ( ExpandedPac )
|
|
{
|
|
LsaTable->FreeLsaHeap( ExpandedPac );
|
|
}
|
|
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_WARN, "Certificate mapping failed (0x%x)\n", Status));
|
|
|
|
LogCertMappingFailureEvent(Status);
|
|
|
|
if(!NT_SUCCESS(VerifyStatus))
|
|
{
|
|
// Return certificate validation error code, unless the mapper
|
|
// error has already been mapped to a proper sspi error code.
|
|
if(HRESULT_FACILITY(Status) != FACILITY_SECURITY)
|
|
{
|
|
Status = VerifyStatus;
|
|
}
|
|
}
|
|
}
|
|
|
|
return ( Status );
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SslDoClientRequest(
|
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|
IN PVOID ProtocolSubmitBuffer,
|
|
IN PVOID ClientBufferBase,
|
|
IN ULONG SubmitBufferLen,
|
|
OUT PVOID * ProtocolReturnBuffer,
|
|
OUT PULONG ReturnBufferLength,
|
|
OUT PNTSTATUS ProtocolStatus
|
|
)
|
|
{
|
|
NTSTATUS Status ;
|
|
PSSL_CERT_LOGON_REQ Request ;
|
|
PSSL_CERT_LOGON_RESP Response, IndirectResponse ;
|
|
PUCHAR Pac = NULL ;
|
|
PUCHAR ExpandedPac = NULL ;
|
|
ULONG PacLength ;
|
|
ULONG ExpandedPacLength ;
|
|
PWSTR ReferencedDomain = NULL;
|
|
PWSTR FirstDot ;
|
|
UNICODE_STRING DomainName = { 0 };
|
|
PMSV1_0_PASSTHROUGH_RESPONSE MsvResponse = NULL ;
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Handling request to do mapping\n" ));
|
|
|
|
if ( ARGUMENT_PRESENT( ProtocolReturnBuffer ) )
|
|
{
|
|
*ProtocolReturnBuffer = NULL ;
|
|
}
|
|
|
|
//
|
|
// Attempt to map the certificate locally.
|
|
//
|
|
|
|
Request = (PSSL_CERT_LOGON_REQ) ProtocolSubmitBuffer ;
|
|
|
|
Status = SslMapCertToUserPac(
|
|
Request,
|
|
&Pac,
|
|
&PacLength,
|
|
&ReferencedDomain );
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Local lookup returns %x\n", Status ));
|
|
|
|
if ( !NT_SUCCESS( Status ) &&
|
|
( ReferencedDomain != NULL ) )
|
|
{
|
|
//
|
|
// Didn't find it at this DC, but another domain appears to
|
|
// have the mapping. Forward it there:
|
|
//
|
|
|
|
RtlInitUnicodeString( &DomainName, ReferencedDomain );
|
|
|
|
DsysAssert( !DnsNameCompare_W( ReferencedDomain, SslDnsDomainName ) );
|
|
DsysAssert( !RtlEqualUnicodeString( &DomainName, &SslDomainName, TRUE ) );
|
|
|
|
if ( DnsNameCompare_W( ReferencedDomain, SslDnsDomainName ) ||
|
|
RtlEqualUnicodeString( &DomainName, &SslDomainName, TRUE ) )
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "GC is out of sync, bailing on this user\n" ));
|
|
Status = STATUS_LOGON_FAILURE ;
|
|
|
|
}
|
|
else
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "Mapping certificate at DC for domain %ws\n",
|
|
ReferencedDomain ));
|
|
|
|
Status = SslMapCertAtDC(
|
|
&DomainName,
|
|
Request,
|
|
Request->Length,
|
|
&MsvResponse );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
IndirectResponse = (PSSL_CERT_LOGON_RESP) MsvResponse->ValidationData ;
|
|
|
|
Pac = (((PUCHAR) IndirectResponse) + IndirectResponse->OffsetAuthData);
|
|
|
|
PacLength = IndirectResponse->AuthDataLength ;
|
|
|
|
FirstDot = wcschr( ReferencedDomain, L'.' );
|
|
|
|
if ( FirstDot )
|
|
{
|
|
*FirstDot = L'\0';
|
|
RtlInitUnicodeString( &DomainName, ReferencedDomain );
|
|
}
|
|
|
|
if ( IndirectResponse->Length - IndirectResponse->AuthDataLength <= sizeof( SSL_CERT_LOGON_RESP ))
|
|
{
|
|
//
|
|
// use the first token from the referenced domain
|
|
//
|
|
|
|
NOTHING ;
|
|
|
|
}
|
|
else
|
|
{
|
|
if ( IndirectResponse->DomainLength < 65536 )
|
|
{
|
|
DomainName.Length = (USHORT) IndirectResponse->DomainLength ;
|
|
DomainName.MaximumLength = DomainName.Length ;
|
|
DomainName.Buffer = (PWSTR) (((PUCHAR) IndirectResponse) + IndirectResponse->OffsetDomain );
|
|
}
|
|
else
|
|
{
|
|
NOTHING ;
|
|
}
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
else
|
|
{
|
|
DomainName = SslDomainName ;
|
|
}
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
//
|
|
// expand resource groups
|
|
//
|
|
|
|
Status = LsaTable->ExpandAuthDataForDomain(
|
|
Pac,
|
|
PacLength,
|
|
NULL,
|
|
&ExpandedPac,
|
|
&ExpandedPacLength );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
//
|
|
// Careful manipulation of pointers to handle
|
|
// the free cases in the cleanup. This is
|
|
// better explained up one function where
|
|
// the expand call is also made.
|
|
//
|
|
if ( MsvResponse == NULL )
|
|
{
|
|
LsaTable->FreeLsaHeap( Pac );
|
|
}
|
|
|
|
Pac = ExpandedPac ;
|
|
PacLength = ExpandedPacLength ;
|
|
|
|
if ( MsvResponse == NULL )
|
|
{
|
|
ExpandedPac = NULL ;
|
|
}
|
|
}
|
|
}
|
|
|
|
if ( !NT_SUCCESS( Status ) )
|
|
{
|
|
*ReturnBufferLength = 0;
|
|
*ProtocolStatus = Status ;
|
|
|
|
Status = STATUS_SUCCESS ;
|
|
|
|
goto Cleanup ;
|
|
|
|
}
|
|
|
|
//
|
|
// Construct the response blob:
|
|
//
|
|
|
|
Response = VirtualAlloc(
|
|
NULL,
|
|
sizeof( SSL_CERT_LOGON_RESP ) + PacLength + DomainName.Length,
|
|
MEM_COMMIT,
|
|
PAGE_READWRITE );
|
|
|
|
if ( Response )
|
|
{
|
|
Response->MessageType = SSL_LOOKUP_CERT_MESSAGE;
|
|
Response->Length = sizeof( SSL_CERT_LOGON_RESP ) +
|
|
PacLength + DomainName.Length ;
|
|
|
|
Response->OffsetAuthData = sizeof( SSL_CERT_LOGON_RESP );
|
|
Response->AuthDataLength = PacLength ;
|
|
|
|
RtlCopyMemory(
|
|
( Response + 1 ),
|
|
Pac,
|
|
PacLength );
|
|
|
|
Response->OffsetDomain = sizeof( SSL_CERT_LOGON_RESP ) + PacLength ;
|
|
Response->DomainLength = DomainName.Length ;
|
|
|
|
RtlCopyMemory( (PUCHAR) Response + Response->OffsetDomain,
|
|
DomainName.Buffer,
|
|
DomainName.Length );
|
|
|
|
*ProtocolReturnBuffer = Response ;
|
|
*ReturnBufferLength = Response->Length ;
|
|
*ProtocolStatus = STATUS_SUCCESS ;
|
|
|
|
Status = STATUS_SUCCESS ;
|
|
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_NO_MEMORY ;
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
if ( MsvResponse == NULL )
|
|
{
|
|
LsaTable->FreeLsaHeap( Pac );
|
|
}
|
|
else
|
|
{
|
|
LsaTable->FreeReturnBuffer( MsvResponse );
|
|
}
|
|
|
|
if ( ExpandedPac )
|
|
{
|
|
LsaTable->FreeLsaHeap( ExpandedPac );
|
|
}
|
|
|
|
if ( ReferencedDomain )
|
|
{
|
|
LsaTable->FreeLsaHeap( ReferencedDomain );
|
|
}
|
|
|
|
|
|
return Status ;
|
|
|
|
}
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: SslBuildCertLogonRequest
|
|
//
|
|
// Synopsis: Builds a certificate logon request to send to the server.
|
|
//
|
|
// Arguments: [pChainContext] --
|
|
// [dwMethods] --
|
|
// [ppRequest] --
|
|
// [pcbRequest] --
|
|
//
|
|
// History: 2-26-2001 Jbanes Created
|
|
//
|
|
// Notes: The certificate data that this function builds
|
|
// looks something like this:
|
|
//
|
|
// typedef struct _SSL_CERT_LOGON_REQ {
|
|
// ULONG MessageType ;
|
|
// ULONG Length ;
|
|
// ULONG OffsetCertficate ;
|
|
// ULONG CertLength ;
|
|
// ULONG Flags;
|
|
// ULONG CertCount;
|
|
// SSL_CERT_NAME_INFO NameInfo[1];
|
|
// } SSL_CERT_LOGON_REQ, * PSSL_CERT_LOGON_REQ ;
|
|
//
|
|
// <client certificate>
|
|
// <issuer #1 name>
|
|
// <issuer #2 name>
|
|
// ...
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
NTSTATUS
|
|
WINAPI
|
|
SslBuildCertLogonRequest(
|
|
PCCERT_CHAIN_CONTEXT pChainContext,
|
|
DWORD dwMethods,
|
|
PSSL_CERT_LOGON_REQ *ppRequest,
|
|
PDWORD pcbRequest)
|
|
{
|
|
PCERT_SIMPLE_CHAIN pSimpleChain;
|
|
PCCERT_CONTEXT pCert;
|
|
PCCERT_CONTEXT pCurrentCert;
|
|
PSSL_CERT_LOGON_REQ pCertReq = NULL;
|
|
DWORD Size;
|
|
DWORD Offset;
|
|
DWORD CertCount;
|
|
NTSTATUS Status;
|
|
ULONG i;
|
|
|
|
|
|
//
|
|
// Compute the request size.
|
|
//
|
|
|
|
pSimpleChain = pChainContext->rgpChain[0];
|
|
|
|
pCert = pSimpleChain->rgpElement[0]->pCertContext;
|
|
|
|
Size = sizeof(SSL_CERT_LOGON_REQ) +
|
|
pCert->cbCertEncoded;
|
|
|
|
CertCount = 0;
|
|
|
|
for(i = 0; i < pSimpleChain->cElement; i++)
|
|
{
|
|
pCurrentCert = pSimpleChain->rgpElement[i]->pCertContext;
|
|
|
|
if(i > 0)
|
|
{
|
|
// Verify that this is not a root certificate.
|
|
if(CertCompareCertificateName(pCurrentCert->dwCertEncodingType,
|
|
&pCurrentCert->pCertInfo->Issuer,
|
|
&pCurrentCert->pCertInfo->Subject))
|
|
{
|
|
break;
|
|
}
|
|
|
|
Size += sizeof(SSL_CERT_NAME_INFO);
|
|
}
|
|
|
|
Size += pCurrentCert->pCertInfo->Issuer.cbData;
|
|
CertCount++;
|
|
}
|
|
|
|
Size = ROUND_UP_COUNT( Size, ALIGN_DWORD );
|
|
|
|
|
|
//
|
|
// Build the request.
|
|
//
|
|
|
|
pCertReq = (PSSL_CERT_LOGON_REQ)LocalAlloc(LPTR, Size);
|
|
|
|
if ( !pCertReq )
|
|
{
|
|
return SEC_E_INSUFFICIENT_MEMORY ;
|
|
}
|
|
|
|
Offset = sizeof(SSL_CERT_LOGON_REQ) + (CertCount - 1) * sizeof(SSL_CERT_NAME_INFO);
|
|
|
|
pCertReq->MessageType = SSL_LOOKUP_CERT_MESSAGE;
|
|
pCertReq->Length = Size;
|
|
pCertReq->OffsetCertificate = Offset;
|
|
pCertReq->CertLength = pCert->cbCertEncoded;
|
|
pCertReq->Flags = dwMethods | REQ_ISSUER_CHAIN_MAPPING;
|
|
|
|
RtlCopyMemory((PBYTE)pCertReq + Offset,
|
|
pCert->pbCertEncoded,
|
|
pCert->cbCertEncoded);
|
|
Offset += pCert->cbCertEncoded;
|
|
|
|
pCertReq->CertCount = CertCount;
|
|
|
|
for(i = 0; i < CertCount; i++)
|
|
{
|
|
pCurrentCert = pSimpleChain->rgpElement[i]->pCertContext;
|
|
|
|
pCertReq->NameInfo[i].IssuerOffset = Offset;
|
|
pCertReq->NameInfo[i].IssuerLength = pCurrentCert->pCertInfo->Issuer.cbData;
|
|
|
|
RtlCopyMemory((PBYTE)pCertReq + Offset,
|
|
pCurrentCert->pCertInfo->Issuer.pbData,
|
|
pCurrentCert->pCertInfo->Issuer.cbData);
|
|
Offset += pCurrentCert->pCertInfo->Issuer.cbData;
|
|
}
|
|
|
|
Offset = ROUND_UP_COUNT( Offset, ALIGN_DWORD );
|
|
|
|
#if DBG
|
|
DsysAssert(Offset == Size);
|
|
#endif
|
|
|
|
//
|
|
// Return completed request.
|
|
//
|
|
|
|
*ppRequest = pCertReq;
|
|
*pcbRequest = Size;
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
|
|
//+---------------------------------------------------------------------------
|
|
//
|
|
// Function: SslMapCertAtDC
|
|
//
|
|
// Synopsis: Maps a certificate to a user (hopefully) and the PAC,
|
|
//
|
|
// Arguments: [DomainName] --
|
|
// [pCredential] --
|
|
// [cbCredential] --
|
|
// [DcResponse] --
|
|
//
|
|
// History: 5-11-1998 RichardW Created
|
|
// 2-26-2001 Jbanes Added certificate chaining support.
|
|
//
|
|
// Notes: The request that gets sent to the DC looks something
|
|
// like this:
|
|
//
|
|
// typedef struct _MSV1_0_PASSTHROUGH_REQUEST {
|
|
// MSV1_0_PROTOCOL_MESSAGE_TYPE MessageType;
|
|
// UNICODE_STRING DomainName;
|
|
// UNICODE_STRING PackageName;
|
|
// ULONG DataLength;
|
|
// PUCHAR LogonData;
|
|
// ULONG Pad ;
|
|
// } MSV1_0_PASSTHROUGH_REQUEST, *PMSV1_0_PASSTHROUGH_REQUEST;
|
|
//
|
|
// <domain name>
|
|
// <package name>
|
|
// [ padding ]
|
|
//
|
|
// <credential>
|
|
// [ padding ]
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
NTSTATUS
|
|
WINAPI
|
|
SslMapCertAtDC(
|
|
PUNICODE_STRING DomainName,
|
|
VOID const *pCredential,
|
|
DWORD cbCredential,
|
|
PMSV1_0_PASSTHROUGH_RESPONSE * DcResponse
|
|
)
|
|
{
|
|
PUCHAR Pac ;
|
|
ULONG PacLength ;
|
|
NTSTATUS Status ;
|
|
PMSV1_0_PASSTHROUGH_REQUEST Request ;
|
|
PMSV1_0_PASSTHROUGH_RESPONSE Response ;
|
|
DWORD Size ;
|
|
DWORD RequestSize ;
|
|
DWORD ResponseSize ;
|
|
PUCHAR Where ;
|
|
NTSTATUS SubStatus ;
|
|
#if DBG
|
|
DWORD CheckSize2 ;
|
|
#endif
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "Remote call to DC to do the mapping\n" ));
|
|
|
|
// Reality check size of certificate.
|
|
if(cbCredential > 0x4000)
|
|
{
|
|
return SEC_E_ILLEGAL_MESSAGE;
|
|
}
|
|
|
|
Size = cbCredential;
|
|
|
|
Size = ROUND_UP_COUNT( Size, ALIGN_DWORD );
|
|
|
|
RequestSize = DomainName->Length +
|
|
SslPackageName.Length ;
|
|
|
|
RequestSize = ROUND_UP_COUNT( RequestSize, ALIGN_DWORD );
|
|
|
|
#if DBG
|
|
CheckSize2 = RequestSize ;
|
|
#endif
|
|
|
|
RequestSize += sizeof( MSV1_0_PASSTHROUGH_REQUEST ) +
|
|
Size ;
|
|
|
|
|
|
Request = (PMSV1_0_PASSTHROUGH_REQUEST) LocalAlloc( LMEM_FIXED, RequestSize );
|
|
|
|
if ( !Request )
|
|
{
|
|
return SEC_E_INSUFFICIENT_MEMORY ;
|
|
}
|
|
|
|
Where = (PUCHAR) (Request + 1);
|
|
|
|
Request->MessageType = MsV1_0GenericPassthrough ;
|
|
Request->DomainName = *DomainName ;
|
|
Request->DomainName.Buffer = (LPWSTR) Where ;
|
|
|
|
RtlCopyMemory( Where,
|
|
DomainName->Buffer,
|
|
DomainName->Length );
|
|
|
|
Where += DomainName->Length ;
|
|
|
|
Request->PackageName = SslPackageName ;
|
|
Request->PackageName.Buffer = (LPWSTR) Where ;
|
|
RtlCopyMemory( Where,
|
|
SslPackageName.Buffer,
|
|
SslPackageName.Length );
|
|
|
|
Where += SslPackageName.Length ;
|
|
|
|
Where = ROUND_UP_POINTER( Where, ALIGN_DWORD );
|
|
|
|
#if DBG
|
|
DsysAssert( (((PUCHAR) Request) + CheckSize2 + sizeof( MSV1_0_PASSTHROUGH_REQUEST ) )
|
|
== (PUCHAR) Where );
|
|
#endif
|
|
|
|
Request->LogonData = Where ;
|
|
Request->DataLength = Size ;
|
|
|
|
RtlCopyMemory( Request->LogonData,
|
|
pCredential,
|
|
cbCredential );
|
|
|
|
|
|
//
|
|
// Now, call through to our DC:
|
|
//
|
|
|
|
|
|
Status = LsaTable->CallPackage(
|
|
&SslMsvName,
|
|
Request,
|
|
RequestSize,
|
|
&Response,
|
|
&ResponseSize,
|
|
&SubStatus );
|
|
|
|
LocalFree( Request );
|
|
|
|
if ( !NT_SUCCESS( Status ) )
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslMapCertAtDC returned status 0x%x\n", Status ));
|
|
return Status ;
|
|
}
|
|
|
|
if ( !NT_SUCCESS( SubStatus ) )
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslMapCertAtDC returned sub-status 0x%x\n", SubStatus ));
|
|
return SubStatus ;
|
|
}
|
|
|
|
*DcResponse = Response ;
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslMapCertAtDC returned 0x%x\n", STATUS_SUCCESS ));
|
|
|
|
return STATUS_SUCCESS ;
|
|
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
SslMapExternalCredential(
|
|
IN PLSA_CLIENT_REQUEST ClientRequest,
|
|
IN PVOID ProtocolSubmitBuffer,
|
|
IN PVOID ClientBufferBase,
|
|
IN ULONG SubmitBufferLen,
|
|
OUT PVOID * ProtocolReturnBuffer,
|
|
OUT PULONG ReturnBufferLength,
|
|
OUT PNTSTATUS ProtocolStatus
|
|
)
|
|
{
|
|
PSSL_EXTERNAL_CERT_LOGON_REQ Request;
|
|
PSSL_EXTERNAL_CERT_LOGON_RESP Response;
|
|
NT_PRODUCT_TYPE ProductType;
|
|
BOOL DC;
|
|
HMAPPER Mapper;
|
|
NTSTATUS Status;
|
|
HANDLE hUserToken = NULL;
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslMapExternalCredential\n" ));
|
|
|
|
//
|
|
// Validate the input parameters.
|
|
//
|
|
|
|
if ( ARGUMENT_PRESENT( ProtocolReturnBuffer ) )
|
|
{
|
|
*ProtocolReturnBuffer = NULL ;
|
|
}
|
|
|
|
Request = (PSSL_EXTERNAL_CERT_LOGON_REQ) ProtocolSubmitBuffer ;
|
|
|
|
if(Request->Length != sizeof(SSL_EXTERNAL_CERT_LOGON_REQ))
|
|
{
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
|
|
//
|
|
// Attempt to map the certificate.
|
|
//
|
|
|
|
if(RtlGetNtProductType(&ProductType))
|
|
{
|
|
DC = (ProductType == NtProductLanManNt);
|
|
}
|
|
else
|
|
{
|
|
return STATUS_NO_MEMORY ;
|
|
}
|
|
|
|
memset(&Mapper, 0, sizeof(Mapper));
|
|
|
|
Mapper.m_dwFlags = SCH_FLAG_SYSTEM_MAPPER | Request->Flags;
|
|
|
|
if(DC)
|
|
{
|
|
Status = SslLocalMapCredential( &Mapper,
|
|
Request->CredentialType,
|
|
Request->Credential,
|
|
NULL,
|
|
(PHLOCATOR)&hUserToken);
|
|
}
|
|
else
|
|
{
|
|
Status = SslRemoteMapCredential(&Mapper,
|
|
Request->CredentialType,
|
|
Request->Credential,
|
|
NULL,
|
|
(PHLOCATOR)&hUserToken);
|
|
}
|
|
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
*ReturnBufferLength = 0;
|
|
*ProtocolStatus = Status;
|
|
Status = STATUS_SUCCESS;
|
|
goto cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// Build the response.
|
|
//
|
|
|
|
Response = VirtualAlloc(
|
|
NULL,
|
|
sizeof(SSL_EXTERNAL_CERT_LOGON_RESP),
|
|
MEM_COMMIT,
|
|
PAGE_READWRITE);
|
|
|
|
if ( Response )
|
|
{
|
|
Response->MessageType = SSL_LOOKUP_EXTERNAL_CERT_MESSAGE;
|
|
Response->Length = sizeof(SSL_EXTERNAL_CERT_LOGON_RESP);
|
|
Response->UserToken = hUserToken;
|
|
Response->Flags = 0;
|
|
|
|
*ProtocolReturnBuffer = Response;
|
|
*ReturnBufferLength = Response->Length;
|
|
*ProtocolStatus = STATUS_SUCCESS;
|
|
hUserToken = NULL;
|
|
|
|
Status = STATUS_SUCCESS;
|
|
}
|
|
else
|
|
{
|
|
Status = STATUS_NO_MEMORY;
|
|
}
|
|
|
|
cleanup:
|
|
|
|
if(hUserToken)
|
|
{
|
|
CloseHandle(hUserToken);
|
|
}
|
|
|
|
return Status;
|
|
}
|
|
|
|
|
|
DWORD
|
|
WINAPI
|
|
SslRemoteMapCredential(
|
|
IN PHMAPPER Mapper,
|
|
IN DWORD CredentialType,
|
|
VOID const *pCredential,
|
|
VOID const *pAuthority,
|
|
OUT HLOCATOR * phLocator
|
|
)
|
|
{
|
|
PCCERT_CONTEXT pCert = (PCERT_CONTEXT)pCredential;
|
|
PUCHAR Pac ;
|
|
ULONG PacLength ;
|
|
NTSTATUS Status ;
|
|
NTSTATUS VerifyStatus ;
|
|
HANDLE Token ;
|
|
LUID LogonId = { 0 };
|
|
PMSV1_0_PASSTHROUGH_RESPONSE Response ;
|
|
PSSL_CERT_LOGON_RESP CertResp ;
|
|
UNICODE_STRING AccountDomain ;
|
|
DWORD dwMethods;
|
|
PCCERT_CHAIN_CONTEXT pChainContext = NULL;
|
|
PSSL_CERT_LOGON_REQ pRequest = NULL;
|
|
DWORD cbRequest;
|
|
|
|
DebugLog(( DEB_TRACE_MAPPER, "SslRemoteMapCredential, context %x\n", Mapper ));
|
|
|
|
if ( CredentialType != X509_ASN_CHAIN )
|
|
{
|
|
return( SEC_E_UNKNOWN_CREDENTIALS );
|
|
}
|
|
|
|
|
|
//
|
|
// Validate client certificate, and obtain pointer to
|
|
// entire certificate chain.
|
|
//
|
|
|
|
Status = MapperVerifyClientChain(pCert,
|
|
Mapper->m_dwFlags,
|
|
&dwMethods,
|
|
&VerifyStatus,
|
|
&pChainContext);
|
|
if(FAILED(Status))
|
|
{
|
|
return Status;
|
|
}
|
|
|
|
//
|
|
// Build the logon request.
|
|
//
|
|
|
|
Status = SslBuildCertLogonRequest(pChainContext,
|
|
dwMethods,
|
|
&pRequest,
|
|
&cbRequest);
|
|
|
|
CertFreeCertificateChain(pChainContext);
|
|
pChainContext = NULL;
|
|
|
|
if(FAILED(Status))
|
|
{
|
|
return Status;
|
|
}
|
|
|
|
|
|
//
|
|
// Send the request to the DC.
|
|
//
|
|
|
|
Status = SslMapCertAtDC(
|
|
&SslDomainName,
|
|
pRequest,
|
|
cbRequest,
|
|
&Response );
|
|
|
|
LocalFree(pRequest);
|
|
pRequest = NULL;
|
|
|
|
if ( !NT_SUCCESS( Status ) )
|
|
{
|
|
LsaTable->AuditLogon(
|
|
Status,
|
|
VerifyStatus,
|
|
&SslNullString,
|
|
&SslNullString,
|
|
NULL,
|
|
NULL,
|
|
Network,
|
|
&SslTokenSource,
|
|
&LogonId );
|
|
|
|
LogCertMappingFailureEvent(Status);
|
|
|
|
if(!NT_SUCCESS(VerifyStatus))
|
|
{
|
|
// Return certificate validation error code, unless the mapper
|
|
// error has already been mapped to a proper sspi error code.
|
|
if(HRESULT_FACILITY(Status) != FACILITY_SECURITY)
|
|
{
|
|
Status = VerifyStatus;
|
|
}
|
|
}
|
|
|
|
return Status ;
|
|
}
|
|
|
|
//
|
|
// Ok, we got mapping data. Try to use it:
|
|
//
|
|
|
|
CertResp = (PSSL_CERT_LOGON_RESP) Response->ValidationData ;
|
|
|
|
//
|
|
// older servers (pre 2010 or so) won't return the full structure,
|
|
// so we need to examine it carefully.
|
|
|
|
if ( CertResp->Length - CertResp->AuthDataLength <= sizeof( SSL_CERT_LOGON_RESP ))
|
|
{
|
|
AccountDomain = SslDomainName ;
|
|
}
|
|
else
|
|
{
|
|
if ( CertResp->DomainLength < 65536 )
|
|
{
|
|
AccountDomain.Length = (USHORT) CertResp->DomainLength ;
|
|
AccountDomain.MaximumLength = AccountDomain.Length ;
|
|
AccountDomain.Buffer = (PWSTR) (((PUCHAR) CertResp) + CertResp->OffsetDomain );
|
|
}
|
|
else
|
|
{
|
|
AccountDomain = SslDomainName ;
|
|
}
|
|
}
|
|
|
|
Status = SslCreateTokenFromPac( (((PUCHAR) CertResp) + CertResp->OffsetAuthData),
|
|
CertResp->AuthDataLength,
|
|
&AccountDomain,
|
|
&LogonId,
|
|
&Token );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
*phLocator = (HLOCATOR) Token ;
|
|
}
|
|
else
|
|
{
|
|
LogCertMappingFailureEvent(Status);
|
|
}
|
|
|
|
LsaTable->FreeReturnBuffer( Response );
|
|
|
|
|
|
return ( Status );
|
|
|
|
}
|
|
|
|
|
|
DWORD
|
|
WINAPI
|
|
SslLocalCloseLocator(
|
|
IN PHMAPPER Mapper,
|
|
IN HLOCATOR Locator
|
|
)
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "CloseLocator, context %x\n", Mapper ));
|
|
|
|
NtClose( (HANDLE) Locator );
|
|
|
|
return( SEC_E_OK );
|
|
}
|
|
|
|
DWORD
|
|
WINAPI
|
|
SslLocalGetAccessToken(
|
|
IN PHMAPPER Mapper,
|
|
IN HLOCATOR Locator,
|
|
OUT HANDLE *Token
|
|
)
|
|
{
|
|
DebugLog(( DEB_TRACE_MAPPER, "GetAccessToken, context %x\n", Mapper ));
|
|
|
|
*Token = (HANDLE) Locator ;
|
|
|
|
return( SEC_E_OK );
|
|
}
|
|
|
|
|
|
BOOL
|
|
SslRelocateToken(
|
|
IN HLOCATOR Locator,
|
|
OUT HLOCATOR * NewLocator)
|
|
{
|
|
NTSTATUS Status ;
|
|
|
|
Status = LsaTable->DuplicateHandle( (HANDLE) Locator,
|
|
(PHANDLE) NewLocator );
|
|
|
|
if ( NT_SUCCESS( Status ) )
|
|
{
|
|
return( TRUE );
|
|
}
|
|
|
|
return( FALSE );
|
|
|
|
}
|
|
|
|
#if 0
|
|
DWORD
|
|
TestExternalMapper(
|
|
PCCERT_CONTEXT pCertContext)
|
|
{
|
|
NTSTATUS Status;
|
|
NTSTATUS AuthPackageStatus;
|
|
SSL_EXTERNAL_CERT_LOGON_REQ Request;
|
|
PSSL_EXTERNAL_CERT_LOGON_RESP pResponse;
|
|
ULONG ResponseLength;
|
|
UNICODE_STRING PackageName;
|
|
|
|
//
|
|
// Build request.
|
|
//
|
|
|
|
memset(&Request, 0, sizeof(SSL_EXTERNAL_CERT_LOGON_REQ));
|
|
|
|
Request.MessageType = SSL_LOOKUP_EXTERNAL_CERT_MESSAGE;
|
|
Request.Length = sizeof(SSL_EXTERNAL_CERT_LOGON_REQ);
|
|
Request.CredentialType = X509_ASN_CHAIN;
|
|
Request.Credential = (PVOID)pCertContext;
|
|
|
|
|
|
//
|
|
// Call security package (must make call as local system).
|
|
//
|
|
|
|
RtlInitUnicodeString(&PackageName, L"Schannel");
|
|
|
|
Status = LsaICallPackage(
|
|
&PackageName,
|
|
&Request,
|
|
Request.Length,
|
|
(PVOID *)&pResponse,
|
|
&ResponseLength,
|
|
&AuthPackageStatus
|
|
);
|
|
|
|
if(!NT_SUCCESS(Status))
|
|
{
|
|
return Status;
|
|
}
|
|
|
|
if(NT_SUCCESS(AuthPackageStatus))
|
|
{
|
|
//
|
|
// Mapping was successful.
|
|
//
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
LsaIFreeReturnBuffer( pResponse );
|
|
|
|
return ERROR_SUCCESS;
|
|
}
|
|
#endif
|