2020-09-30 16:53:55 +02:00

1143 lines
27 KiB
C
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

/*++
Copyright (c) 1987-1996 Microsoft Corporation
Module Name:
lsarepl.c
Abstract:
Low level LSA Replication functions.
Author:
06-Apr-1992 (madana)
Created for LSA replication.
Environment:
User mode only.
Contains NT-specific code.
Requires ANSI C extensions: slash-slash comments, long external names.
Revision History:
--*/
//
// Common include files.
//
#include "logonsrv.h" // Include files common to entire service
#pragma hdrstop
#include "lsarepl.h"
NTSTATUS
NlPackLsaPolicy(
IN OUT PNETLOGON_DELTA_ENUM Delta,
IN PDB_INFO DBInfo,
IN LPDWORD BufferSize )
/*++
Routine Description:
Pack a description of the LSA policy info into the specified buffer.
Arguments:
Delta: pointer to the delta structure where the new delta will
be returned.
DBInfo: pointer to the database info structure.
BufferSize: size of MIDL buffer that is consumed for this delta is
returned here.
Return Value:
NT status code.
--*/
{
NTSTATUS Status;
ULONG i;
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
PLSAPR_POLICY_INFORMATION PolicyAuditLogInfo = NULL;
PLSAPR_POLICY_INFORMATION PolicyAuditEventsInfo = NULL;
PLSAPR_POLICY_INFORMATION PolicyPrimaryDomainInfo = NULL;
PLSAPR_POLICY_INFORMATION PolicyDefaultQuotaInfo = NULL;
PLSAPR_POLICY_INFORMATION PolicyModificationInfo = NULL;
PNETLOGON_DELTA_POLICY DeltaPolicy = NULL;
DEFPACKTIMER;
DEFLSATIMER;
INITPACKTIMER;
INITLSATIMER;
STARTPACKTIMER;
NlPrint((NL_SYNC_MORE, "Packing Policy Object\n"));
*BufferSize = 0;
Delta->DeltaType = AddOrChangeLsaPolicy;
Delta->DeltaUnion.DeltaPolicy = NULL;
QUERY_LSA_SECOBJ_INFO(DBInfo->DBHandle);
STARTLSATIMER;
Status = LsarQueryInformationPolicy(
DBInfo->DBHandle,
PolicyAuditLogInformation,
&PolicyAuditLogInfo);
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
PolicyAuditLogInfo = NULL;
goto Cleanup;
}
STARTLSATIMER;
Status = LsarQueryInformationPolicy(
DBInfo->DBHandle,
PolicyAuditEventsInformation,
&PolicyAuditEventsInfo);
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
PolicyAuditEventsInfo = NULL;
goto Cleanup;
}
STARTLSATIMER;
Status = LsarQueryInformationPolicy(
DBInfo->DBHandle,
PolicyPrimaryDomainInformation,
&PolicyPrimaryDomainInfo);
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
PolicyPrimaryDomainInfo = NULL;
goto Cleanup;
}
STARTLSATIMER;
Status = LsarQueryInformationPolicy(
DBInfo->DBHandle,
PolicyDefaultQuotaInformation,
&PolicyDefaultQuotaInfo);
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
PolicyDefaultQuotaInfo = NULL;
goto Cleanup;
}
STARTLSATIMER;
Status = LsarQueryInformationPolicy(
DBInfo->DBHandle,
PolicyModificationInformation,
&PolicyModificationInfo);
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
PolicyModificationInfo = NULL;
goto Cleanup;
}
//
// Fill in the delta structure
//
//
// copy SID info (There is only one policy database. It has no SID).
//
Delta->DeltaID.Sid = NULL;
//
// allocate delta buffer
//
DeltaPolicy = (PNETLOGON_DELTA_POLICY)
MIDL_user_allocate( sizeof(NETLOGON_DELTA_POLICY) );
if( DeltaPolicy == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
//
// wipe off the buffer so that cleanup will not be in fault.
//
RtlZeroMemory( DeltaPolicy, sizeof(NETLOGON_DELTA_POLICY) );
// INIT_PLACE_HOLDER(DeltaPolicy);
Delta->DeltaUnion.DeltaPolicy = DeltaPolicy;
*BufferSize += sizeof(NETLOGON_DELTA_POLICY);
DeltaPolicy->MaximumLogSize =
PolicyAuditLogInfo->PolicyAuditLogInfo.MaximumLogSize;
DeltaPolicy->AuditRetentionPeriod;
PolicyAuditLogInfo->PolicyAuditLogInfo.AuditRetentionPeriod;
DeltaPolicy->AuditingMode =
PolicyAuditEventsInfo->
PolicyAuditEventsInfo.AuditingMode;
DeltaPolicy->MaximumAuditEventCount =
PolicyAuditEventsInfo->
PolicyAuditEventsInfo.MaximumAuditEventCount;
*BufferSize += NlCopyData(
(LPBYTE *)&(PolicyAuditEventsInfo->
PolicyAuditEventsInfo.EventAuditingOptions),
(LPBYTE *)&(DeltaPolicy->EventAuditingOptions),
(DeltaPolicy->MaximumAuditEventCount + 1) *
sizeof(ULONG));
// Tell the BDC to 'set' these bits and not just 'or' them in to the current ones
for ( i=0; i<DeltaPolicy->MaximumAuditEventCount; i++ ) {
DeltaPolicy->EventAuditingOptions[i] |= POLICY_AUDIT_EVENT_NONE;
}
//
// sanitity check, EventAuditingOptions size is ULONG size.
//
NlAssert(sizeof(*(PolicyAuditEventsInfo->
PolicyAuditEventsInfo.EventAuditingOptions)) ==
sizeof(ULONG) );
*BufferSize += NlCopyUnicodeString(
(PUNICODE_STRING)&PolicyPrimaryDomainInfo->
PolicyPrimaryDomainInfo.Name,
&DeltaPolicy->PrimaryDomainName );
*BufferSize += NlCopyData(
(LPBYTE *)&(PolicyPrimaryDomainInfo->
PolicyPrimaryDomainInfo.Sid),
(LPBYTE *)&(DeltaPolicy->PrimaryDomainSid),
RtlLengthSid((PSID)(PolicyPrimaryDomainInfo->
PolicyPrimaryDomainInfo.Sid) ));
DeltaPolicy->QuotaLimits.PagedPoolLimit =
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.PagedPoolLimit;
DeltaPolicy->QuotaLimits.NonPagedPoolLimit =
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.NonPagedPoolLimit;
DeltaPolicy->QuotaLimits.MinimumWorkingSetSize =
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.MinimumWorkingSetSize;
DeltaPolicy->QuotaLimits.MaximumWorkingSetSize =
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.MaximumWorkingSetSize;
DeltaPolicy->QuotaLimits.PagefileLimit =
(ULONG)PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.PagefileLimit;
NEW_TO_OLD_LARGE_INTEGER(
PolicyDefaultQuotaInfo->PolicyDefaultQuotaInfo.QuotaLimits.TimeLimit,
DeltaPolicy->QuotaLimits.TimeLimit );
NEW_TO_OLD_LARGE_INTEGER(
PolicyModificationInfo->PolicyModificationInfo.ModifiedId,
DeltaPolicy->ModifiedId );
NEW_TO_OLD_LARGE_INTEGER(
PolicyModificationInfo->PolicyModificationInfo.DatabaseCreationTime,
DeltaPolicy->DatabaseCreationTime );
DELTA_SECOBJ_INFO(DeltaPolicy);
//
// All Done
//
Status = STATUS_SUCCESS;
Cleanup:
STARTLSATIMER;
if ( SecurityDescriptor != NULL ) {
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
}
if ( PolicyAuditLogInfo != NULL ) {
LsaIFree_LSAPR_POLICY_INFORMATION(
PolicyAuditLogInformation,
PolicyAuditLogInfo );
}
if ( PolicyAuditEventsInfo != NULL ) {
LsaIFree_LSAPR_POLICY_INFORMATION(
PolicyAuditEventsInformation,
PolicyAuditEventsInfo );
}
if ( PolicyPrimaryDomainInfo != NULL ) {
LsaIFree_LSAPR_POLICY_INFORMATION(
PolicyPrimaryDomainInformation,
PolicyPrimaryDomainInfo );
}
if ( PolicyDefaultQuotaInfo != NULL ) {
LsaIFree_LSAPR_POLICY_INFORMATION(
PolicyDefaultQuotaInformation,
PolicyDefaultQuotaInfo );
}
if ( PolicyModificationInfo != NULL ) {
LsaIFree_LSAPR_POLICY_INFORMATION(
PolicyModificationInformation,
PolicyModificationInfo );
}
STOPLSATIMER;
if( !NT_SUCCESS(Status) ) {
NlFreeDBDelta( Delta );
*BufferSize = 0;
}
STOPPACKTIMER;
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack POLICY object:\n"));
PRINTPACKTIMER;
PRINTLSATIMER;
return(Status);
}
NTSTATUS
NlPackLsaTDomain(
IN PSID Sid,
IN OUT PNETLOGON_DELTA_ENUM Delta,
IN PDB_INFO DBInfo,
IN LPDWORD BufferSize )
/*++
Routine Description:
Pack a description of the specified trusted domain info into the
specified buffer.
Arguments:
Sid - The SID of the trusted domain.
Delta: pointer to the delta structure where the new delta will
be returned.
DBInfo: pointer to the database info structure.
BufferSize: size of MIDL buffer that is consumed for this delta is
returned here.
Return Value:
NT status code.
--*/
{
NTSTATUS Status;
LSAPR_HANDLE TrustedDomainHandle = NULL;
PLSAPR_TRUSTED_DOMAIN_INFO TrustedDomainNameInfo = NULL;
PLSAPR_TRUSTED_DOMAIN_INFO TrustedPosixOffsetInfo = NULL;
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
PNETLOGON_DELTA_TRUSTED_DOMAINS DeltaTDomain = NULL;
DWORD i;
DWORD Entries;
DWORD Size = 0;
PLSAPR_UNICODE_STRING UnicodeControllerName;
DEFPACKTIMER;
DEFLSATIMER;
INITPACKTIMER;
INITLSATIMER;
STARTPACKTIMER;
NlPrint((NL_SYNC_MORE, "Packing Trusted Domain Object\n"));
*BufferSize = 0;
Delta->DeltaType = AddOrChangeLsaTDomain;
Delta->DeltaID.Sid = NULL;
Delta->DeltaUnion.DeltaTDomains = NULL;
//
// open trusted domain
//
STARTLSATIMER;
Status = LsarOpenTrustedDomain(
DBInfo->DBHandle,
(PLSAPR_SID)Sid,
0,
&TrustedDomainHandle );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
TrustedDomainHandle = NULL;
goto Cleanup;
}
QUERY_LSA_SECOBJ_INFO(TrustedDomainHandle);
STARTLSATIMER;
Status = LsarQueryInfoTrustedDomain(
TrustedDomainHandle,
TrustedDomainNameInformation,
&TrustedDomainNameInfo );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
TrustedDomainNameInfo = NULL;
goto Cleanup;
}
NlPrint((NL_SYNC_MORE,
"\t Trusted Domain Object name %wZ\n",
(PUNICODE_STRING)&TrustedDomainNameInfo->
TrustedDomainNameInfo.Name ));
STARTLSATIMER;
Status = LsarQueryInfoTrustedDomain(
TrustedDomainHandle,
TrustedPosixOffsetInformation,
&TrustedPosixOffsetInfo );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
TrustedPosixOffsetInfo = NULL;
goto Cleanup;
}
//
// Fill in the delta structure
//
//
// copy SID info
//
Delta->DeltaID.Sid = MIDL_user_allocate( RtlLengthSid(Sid) );
if( Delta->DeltaID.Sid == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
RtlCopyMemory( Delta->DeltaID.Sid, Sid, RtlLengthSid(Sid) );
//
// allocate delta buffer
//
DeltaTDomain = (PNETLOGON_DELTA_TRUSTED_DOMAINS)
MIDL_user_allocate( sizeof(NETLOGON_DELTA_TRUSTED_DOMAINS) );
if( DeltaTDomain == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
//
// wipe off the buffer so that cleanup will not be in fault.
//
RtlZeroMemory( DeltaTDomain, sizeof(NETLOGON_DELTA_TRUSTED_DOMAINS) );
// INIT_PLACE_HOLDER(DeltaTDomain);
Delta->DeltaUnion.DeltaTDomains = DeltaTDomain;
*BufferSize += sizeof(NETLOGON_DELTA_TRUSTED_DOMAINS);
*BufferSize += NlCopyUnicodeString(
(PUNICODE_STRING)&TrustedDomainNameInfo->
TrustedDomainNameInfo.Name,
&DeltaTDomain->DomainName );
DELTA_SECOBJ_INFO(DeltaTDomain);
//
// send Posix Offset info across using place holder.
//
DeltaTDomain->DummyLong1 =
TrustedPosixOffsetInfo->TrustedPosixOffsetInfo.Offset;
//
// All Done
//
Status = STATUS_SUCCESS;
Cleanup:
STARTLSATIMER;
if ( TrustedDomainHandle != NULL ) {
LsarClose( &TrustedDomainHandle );
}
if ( SecurityDescriptor != NULL ) {
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
}
if ( TrustedDomainNameInfo != NULL ) {
LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO(
TrustedDomainNameInformation,
TrustedDomainNameInfo );
}
if ( TrustedPosixOffsetInfo != NULL ) {
LsaIFree_LSAPR_TRUSTED_DOMAIN_INFO(
TrustedPosixOffsetInformation,
TrustedPosixOffsetInfo );
}
STOPLSATIMER;
if( !NT_SUCCESS(Status) ) {
NlFreeDBDelta( Delta );
*BufferSize = 0;
}
STOPPACKTIMER;
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack TDOMAIN object:\n"));
PRINTPACKTIMER;
PRINTLSATIMER;
return(Status);
}
NTSTATUS
NlPackLsaAccount(
IN PSID Sid,
IN OUT PNETLOGON_DELTA_ENUM Delta,
IN PDB_INFO DBInfo,
IN LPDWORD BufferSize,
IN PSESSION_INFO SessionInfo
)
/*++
Routine Description:
Pack a description of the specified LSA account info into the
specified buffer.
Arguments:
Sid - The SID of the LSA account.
Delta: pointer to the delta structure where the new delta will
be returned.
DBInfo: pointer to the database info structure.
BufferSize: size of MIDL buffer that is consumed for this delta is
returned here.
SessionInfo: Info describing BDC that's calling us
Return Value:
NT status code.
--*/
{
NTSTATUS Status;
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
PNETLOGON_DELTA_ACCOUNTS DeltaAccount = NULL;
LSAPR_HANDLE AccountHandle = NULL;
PLSAPR_PRIVILEGE_SET Privileges = NULL;
ULONG SystemAccessFlags;
PULONG PrivilegeAttributes;
PUNICODE_STRING PrivilegeNames;
LUID MachineAccountPrivilegeLuid;
DWORD CopiedPrivilegeCount;
DWORD i;
DWORD Size;
DEFPACKTIMER;
DEFLSATIMER;
INITPACKTIMER;
INITLSATIMER;
STARTPACKTIMER;
NlPrint((NL_SYNC_MORE, "Packing Lsa Account Object\n"));
*BufferSize = 0;
MachineAccountPrivilegeLuid = RtlConvertLongToLuid(SE_MACHINE_ACCOUNT_PRIVILEGE);
Delta->DeltaType = AddOrChangeLsaAccount;
Delta->DeltaID.Sid = NULL;
Delta->DeltaUnion.DeltaAccounts = NULL;
//
// open lsa account
//
STARTLSATIMER;
Status = LsarOpenAccount(
DBInfo->DBHandle,
(PLSAPR_SID)Sid,
0,
&AccountHandle );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
AccountHandle = NULL;
goto Cleanup;
}
QUERY_LSA_SECOBJ_INFO(AccountHandle);
STARTLSATIMER;
Status = LsarEnumeratePrivilegesAccount(
AccountHandle,
&Privileges );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
Privileges = NULL;
goto Cleanup;
}
STARTLSATIMER;
Status = LsarGetSystemAccessAccount(
AccountHandle,
&SystemAccessFlags );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
goto Cleanup;
}
//
// Fill in the delta structure
//
//
// copy SID info
//
Delta->DeltaID.Sid = MIDL_user_allocate( RtlLengthSid(Sid) );
if( Delta->DeltaID.Sid == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
RtlCopyMemory( Delta->DeltaID.Sid, Sid, RtlLengthSid(Sid) );
//
// allocate delta buffer
//
DeltaAccount = (PNETLOGON_DELTA_ACCOUNTS)
MIDL_user_allocate( sizeof(NETLOGON_DELTA_ACCOUNTS) );
if( DeltaAccount == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
//
// wipe off the buffer so that cleanup will not be in fault.
//
RtlZeroMemory( DeltaAccount, sizeof(NETLOGON_DELTA_ACCOUNTS) );
// INIT_PLACE_HOLDER(DeltaAccount);
Delta->DeltaUnion.DeltaAccounts = DeltaAccount;
*BufferSize += sizeof(NETLOGON_DELTA_ACCOUNTS);
DeltaAccount->PrivilegeControl = Privileges->Control;
DeltaAccount->PrivilegeEntries = 0;
DeltaAccount->PrivilegeAttributes = NULL;
DeltaAccount->PrivilegeNames = NULL;
Size = Privileges->PrivilegeCount * sizeof(ULONG);
PrivilegeAttributes = MIDL_user_allocate( Size );
if( PrivilegeAttributes == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
DeltaAccount->PrivilegeAttributes = PrivilegeAttributes;
*BufferSize += Size;
Size = Privileges->PrivilegeCount * sizeof(UNICODE_STRING);
PrivilegeNames = MIDL_user_allocate( Size );
if( PrivilegeNames == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
DeltaAccount->PrivilegeNames = PrivilegeNames;
*BufferSize += Size;
//
// now fill up Privilege Attributes and Names
//
CopiedPrivilegeCount = 0;
for( i = 0; i < Privileges->PrivilegeCount; i++ ) {
//
// Don't replicate SeMachineAccount privilege to NT 3.1. It can't handle it.
// (Use the SUPPORTS_ACCOUNT_LOCKOUT bit so we don't have to consume
// another bit.)
//
if ( (SessionInfo->NegotiatedFlags & NETLOGON_SUPPORTS_ACCOUNT_LOCKOUT) ||
(!RtlEqualLuid((PLUID)(&Privileges->Privilege[i].Luid),
&MachineAccountPrivilegeLuid ))) {
PLSAPR_UNICODE_STRING PrivName = NULL;
*PrivilegeAttributes = Privileges->Privilege[i].Attributes;
//
// convert LUID to Name
//
STARTLSATIMER;
Status = LsarLookupPrivilegeName(
DBInfo->DBHandle,
(PLUID)&Privileges->Privilege[i].Luid,
&PrivName );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
goto Cleanup;
}
*BufferSize += NlCopyUnicodeString(
(PUNICODE_STRING)PrivName,
PrivilegeNames );
LsaIFree_LSAPR_UNICODE_STRING( PrivName );
CopiedPrivilegeCount ++;
PrivilegeAttributes++;
PrivilegeNames++;
} else {
NlPrint((NL_SYNC_MORE,
"NlPackLsaAccount: ignored privilege %ld %ld\n",
(PLUID) LongToPtr( (&Privileges->Privilege[i].Luid)->HighPart ),
(PLUID) ULongToPtr( (&Privileges->Privilege[i].Luid)->LowPart ) ));
}
}
DeltaAccount->PrivilegeEntries = CopiedPrivilegeCount;
//
// Send only those bits that NT4.0 BDC understands.
// Otherwise, it will choke on it.
//
DeltaAccount->SystemAccessFlags = SystemAccessFlags & POLICY_MODE_ALL_NT4;
DELTA_SECOBJ_INFO(DeltaAccount);
//
// All Done
//
Status = STATUS_SUCCESS;
Cleanup:
STARTLSATIMER;
if ( AccountHandle != NULL ) {
LsarClose( &AccountHandle );
}
if ( SecurityDescriptor != NULL ) {
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
}
if ( Privileges != NULL ) {
LsaIFree_LSAPR_PRIVILEGE_SET( Privileges );
}
STOPLSATIMER;
if( !NT_SUCCESS(Status) ) {
NlFreeDBDelta( Delta );
*BufferSize = 0;
}
STOPPACKTIMER;
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack LSAACCOUNT object:\n"));
PRINTPACKTIMER;
PRINTLSATIMER;
return(Status);
}
NTSTATUS
NlPackLsaSecret(
IN PUNICODE_STRING Name,
IN OUT PNETLOGON_DELTA_ENUM Delta,
IN PDB_INFO DBInfo,
IN LPDWORD BufferSize,
IN PSESSION_INFO SessionInfo
)
/*++
Routine Description:
Pack a description of the specified LSA secret info into the
specified buffer.
Arguments:
Name - Name of the secret.
Delta: pointer to the delta structure where the new delta will
be returned.
DBInfo: pointer to the database info structure.
BufferSize: size of MIDL buffer that is consumed for this delta is
returned here.
SessionInfo: Information shared between BDC and PDC
Return Value:
NT status code.
--*/
{
NTSTATUS Status;
PLSAPR_SR_SECURITY_DESCRIPTOR SecurityDescriptor = NULL;
LSAPR_HANDLE SecretHandle = NULL;
PNETLOGON_DELTA_SECRET DeltaSecret = NULL;
PLSAPR_CR_CIPHER_VALUE CurrentValue = NULL;
PLSAPR_CR_CIPHER_VALUE OldValue = NULL;
LARGE_INTEGER CurrentValueSetTime;
LARGE_INTEGER OldValueSetTime;
DEFPACKTIMER;
DEFLSATIMER;
INITPACKTIMER;
INITLSATIMER;
STARTPACKTIMER;
NlPrint((NL_SYNC_MORE, "Packing Secret Object: %wZ\n", Name));
//
// we should be packing only GLOBAL secrets
//
NlAssert(
(Name->Length / sizeof(WCHAR) >
LSA_GLOBAL_SECRET_PREFIX_LENGTH ) &&
(_wcsnicmp( Name->Buffer,
LSA_GLOBAL_SECRET_PREFIX,
LSA_GLOBAL_SECRET_PREFIX_LENGTH ) == 0) );
*BufferSize = 0;
Delta->DeltaType = AddOrChangeLsaSecret;
Delta->DeltaID.Name = NULL;
Delta->DeltaUnion.DeltaPolicy = NULL;
//
// open lsa account
//
STARTLSATIMER;
Status = LsarOpenSecret(
DBInfo->DBHandle,
(PLSAPR_UNICODE_STRING)Name,
0,
&SecretHandle );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
SecretHandle = NULL;
goto Cleanup;
}
QUERY_LSA_SECOBJ_INFO(SecretHandle);
STARTLSATIMER;
Status = LsarQuerySecret(
SecretHandle,
&CurrentValue,
&CurrentValueSetTime,
&OldValue,
&OldValueSetTime );
STOPLSATIMER;
if (!NT_SUCCESS(Status)) {
CurrentValue = NULL;
OldValue = NULL;
goto Cleanup;
}
//
// Fill in the delta structure
//
//
// copy ID field
//
Delta->DeltaID.Name =
MIDL_user_allocate( Name->Length + sizeof(WCHAR) );
if( Delta->DeltaID.Name == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
wcsncpy( Delta->DeltaID.Name,
Name->Buffer,
Name->Length / sizeof(WCHAR) );
//
// terminate string
//
Delta->DeltaID.Name[ Name->Length / sizeof(WCHAR) ] = L'\0';
DeltaSecret = (PNETLOGON_DELTA_SECRET)
MIDL_user_allocate( sizeof(NETLOGON_DELTA_SECRET) );
if( DeltaSecret == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
//
// wipe off the buffer so that cleanup will not be in fault.
//
RtlZeroMemory( DeltaSecret, sizeof(NETLOGON_DELTA_SECRET) );
// INIT_PLACE_HOLDER(DeltaSecret);
Delta->DeltaUnion.DeltaSecret = DeltaSecret;
*BufferSize += sizeof(NETLOGON_DELTA_SECRET);
NEW_TO_OLD_LARGE_INTEGER(
CurrentValueSetTime,
DeltaSecret->CurrentValueSetTime );
NEW_TO_OLD_LARGE_INTEGER(
OldValueSetTime,
DeltaSecret->OldValueSetTime );
if( CurrentValue != NULL && CurrentValue->Buffer != NULL && CurrentValue->Length != 0) {
//
// Copy the secret into an allocated buffer and encrypt it in place.
// Don't use the LSA's buffer since it a ALLOCATE_ALL_NODES.
//
DeltaSecret->CurrentValue.Buffer =
MIDL_user_allocate( CurrentValue->Length );
if( DeltaSecret->CurrentValue.Buffer == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
DeltaSecret->CurrentValue.Length =
DeltaSecret->CurrentValue.MaximumLength = CurrentValue->Length;
RtlCopyMemory( DeltaSecret->CurrentValue.Buffer,
CurrentValue->Buffer,
CurrentValue->Length );
//
// secret values are encrypted using session keys.
//
Status = NlEncryptSensitiveData(
(PCRYPT_BUFFER) &DeltaSecret->CurrentValue,
SessionInfo );
if (!NT_SUCCESS(Status)) {
goto Cleanup;
}
} else {
DeltaSecret->CurrentValue.Length = 0;
DeltaSecret->CurrentValue.MaximumLength = 0;
DeltaSecret->CurrentValue.Buffer = NULL;
}
*BufferSize += DeltaSecret->CurrentValue.MaximumLength;
if( OldValue != NULL && OldValue->Buffer != NULL && OldValue->Length != 0 ) {
//
// Copy the secret into an allocated buffer and encrypt it in place.
// Don't use the LSA's buffer since it a ALLOCATE_ALL_NODES.
//
DeltaSecret->OldValue.Buffer =
MIDL_user_allocate( OldValue->Length );
if( DeltaSecret->OldValue.Buffer == NULL ) {
Status = STATUS_NO_MEMORY;
goto Cleanup;
}
DeltaSecret->OldValue.Length =
DeltaSecret->OldValue.MaximumLength = OldValue->Length;
RtlCopyMemory( DeltaSecret->OldValue.Buffer,
OldValue->Buffer,
OldValue->Length );
//
// secret values are encrypted using session keys.
//
Status = NlEncryptSensitiveData(
(PCRYPT_BUFFER) &DeltaSecret->OldValue,
SessionInfo );
if (!NT_SUCCESS(Status)) {
goto Cleanup;
}
} else {
DeltaSecret->OldValue.Length = 0;
DeltaSecret->OldValue.MaximumLength = 0;
DeltaSecret->OldValue.Buffer = NULL;
}
*BufferSize += DeltaSecret->OldValue.MaximumLength;
DELTA_SECOBJ_INFO(DeltaSecret);
//
// All Done
//
Status = STATUS_SUCCESS;
Cleanup:
STARTLSATIMER;
if ( SecretHandle != NULL ) {
LsarClose( &SecretHandle );
}
if ( SecurityDescriptor != NULL ) {
LsaIFree_LSAPR_SR_SECURITY_DESCRIPTOR( SecurityDescriptor );
}
if( CurrentValue != NULL ) {
LsaIFree_LSAPR_CR_CIPHER_VALUE( CurrentValue );
}
if( OldValue != NULL ) {
LsaIFree_LSAPR_CR_CIPHER_VALUE( OldValue );
}
STOPLSATIMER;
if( !NT_SUCCESS(Status) ) {
NlFreeDBDelta( Delta );
*BufferSize = 0;
}
STOPPACKTIMER;
NlPrint((NL_REPL_OBJ_TIME,"Time taken to pack SECRET object:\n"));
PRINTPACKTIMER;
PRINTLSATIMER;
return(Status);
}