Microsoft/Windows2003-3790
Microsoft/Windows2003-3790
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Windows2003-3790/ds/security/protocols/msv_sspi/kernel/krnlapi.cxx
Microsoft 50969b0ea2 First commit
2020-09-30 16:53:55 +02:00

3004 lines
83 KiB
C++
Raw Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

//+-----------------------------------------------------------------------
//
// Microsoft Windows
//
// Copyright (c) Microsoft Corporation 1992 - 1999
//
// File: krnlapi.cxx
//
// Contents: Kernel-mode APIs to the NTLM package
//
//
// History: 07-Sep-1996 Created ChandanS
//
//------------------------------------------------------------------------
#include <ntlmkrnl.h>
extern "C"
{
#include <cryptdll.h>
#include <zwapi.h>
}
#include "crc32.h" // How to use crc32
extern "C"
{
#include <rc4.h> // How to use RC4 routine
#include <md5.h>
#include <hmac.h>
}
#define DEFENSIVE_HANDLES
// Context Signatures
#define NTLM_CONTEXT_SIGNATURE 'MLTN'
#define NTLM_CONTEXT_DELETED_SIGNATURE 'XXXX'
// Keep this is sync with NTLM_KERNEL_CONTEXT defined in
// security\msv_sspi\userapi.cxx
typedef struct _NTLM_KERNEL_CONTEXT{
KSEC_LIST_ENTRY List;
ULONG_PTR LsaContext;
ULONG NegotiateFlags;
HANDLE ClientTokenHandle;
PACCESS_TOKEN AccessToken;
PULONG pSendNonce; // ptr to nonce to use for send
PULONG pRecvNonce; // ptr to nonce to use for receive
struct RC4_KEYSTRUCT * pSealRc4Sched; // ptr to key sched used for Seal
struct RC4_KEYSTRUCT * pUnsealRc4Sched; // ptr to key sched used to Unseal
ULONG SendNonce;
ULONG RecvNonce;
LPWSTR ContextNames;
PUCHAR pbMarshalledTargetInfo;
ULONG cbMarshalledTargetInfo;
UCHAR SessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
ULONG ContextSignature;
ULONG References ;
TimeStamp PasswordExpiry;
ULONG UserFlags;
UCHAR SignSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
UCHAR VerifySessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
UCHAR SealSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
UCHAR UnsealSessionKey[MSV1_0_USER_SESSION_KEY_LENGTH];
ULONG64 Pad1; // pad keystructs to 64.
struct RC4_KEYSTRUCT SealRc4Sched; // key struct used for Seal
ULONG64 Pad2; // pad keystructs to 64.
struct RC4_KEYSTRUCT UnsealRc4Sched; // key struct used to Unseal
} NTLM_KERNEL_CONTEXT, * PNTLM_KERNEL_CONTEXT;
typedef struct _NTLM_PACKED_CONTEXT {
ULONG Tag ;
ULONG NegotiateFlags ;
ULONG ClientTokenHandle ;
ULONG SendNonce ;
ULONG RecvNonce ;
UCHAR SessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
ULONG ContextSignature ;
TimeStamp PasswordExpiry ;
ULONG UserFlags ;
ULONG ContextNames ;
ULONG ContextNameLength ;
ULONG MarshalledTargetInfo; // offset
ULONG MarshalledTargetInfoLength;
UCHAR SignSessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
UCHAR VerifySessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
UCHAR SealSessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
UCHAR UnsealSessionKey[ MSV1_0_USER_SESSION_KEY_LENGTH ];
struct RC4_KEYSTRUCT SealRc4Sched;
struct RC4_KEYSTRUCT UnsealRc4Sched;
} NTLM_PACKED_CONTEXT, * PNTLM_PACKED_CONTEXT ;
#define NTLM_PACKED_CONTEXT_MAP 0
#define CSSEALMAGIC "session key to client-to-server sealing key magic constant"
#define SCSEALMAGIC "session key to server-to-client sealing key magic constant"
#define CSSIGNMAGIC "session key to client-to-server signing key magic constant"
#define SCSIGNMAGIC "session key to server-to-client signing key magic constant"
typedef enum _eSignSealOp {
eSign, // MakeSignature is calling
eVerify, // VerifySignature is calling
eSeal, // SealMessage is calling
eUnseal // UnsealMessage is calling
} eSignSealOp;
//
// Make these extern "C" to allow them to be pageable.
//
extern "C"
{
KspInitPackageFn NtLmInitKernelPackage;
KspDeleteContextFn NtLmDeleteKernelContext;
KspInitContextFn NtLmInitKernelContext;
KspMapHandleFn NtLmMapKernelHandle;
KspMakeSignatureFn NtLmMakeSignature;
KspVerifySignatureFn NtLmVerifySignature;
KspSealMessageFn NtLmSealMessage;
KspUnsealMessageFn NtLmUnsealMessage;
KspGetTokenFn NtLmGetContextToken;
KspQueryAttributesFn NtLmQueryContextAttributes;
KspCompleteTokenFn NtLmCompleteToken;
SpExportSecurityContextFn NtLmExportSecurityContext;
SpImportSecurityContextFn NtLmImportSecurityContext;
KspSetPagingModeFn NtlmSetPagingMode ;
//
// Local prototypes:
//
NTSTATUS
NtLmCreateKernelModeContext(
IN ULONG ContextHandle,
IN PSecBuffer MarshalledContext,
OUT PNTLM_KERNEL_CONTEXT * NewContext
);
NTSTATUS
NtLmMakePackedContext(
IN PNTLM_KERNEL_CONTEXT Context,
OUT PBOOLEAN MappedContext,
OUT PSecBuffer ContextData,
IN ULONG Flags
);
NTSTATUS
NtlmFreeKernelContext (
PNTLM_KERNEL_CONTEXT KernelContext
);
#define NtlmReferenceContext( Context, Remove ) \
KSecReferenceListEntry( (PKSEC_LIST_ENTRY) Context, \
NTLM_CONTEXT_SIGNATURE, \
Remove )
VOID
NtlmDerefContext(
PNTLM_KERNEL_CONTEXT Context
);
void
SspGenCheckSum(
IN PSecBuffer pMessage,
OUT PNTLMSSP_MESSAGE_SIGNATURE pSig
);
VOID
SspEncryptBuffer(
IN PNTLM_KERNEL_CONTEXT pContext,
IN struct RC4_KEYSTRUCT * pRc4Key,
IN ULONG BufferSize,
IN OUT PVOID Buffer
);
VOID
SspRc4Key(
IN ULONG NegotiateFlags,
OUT struct RC4_KEYSTRUCT *pRc4Key,
IN PUCHAR pSessionKey
);
SECURITY_STATUS
SspSignSealHelper(
IN PNTLM_KERNEL_CONTEXT pContext,
IN eSignSealOp Op,
IN OUT PSecBufferDesc pMessage,
IN ULONG MessageSeqNo,
OUT PNTLMSSP_MESSAGE_SIGNATURE pSig,
OUT PNTLMSSP_MESSAGE_SIGNATURE * ppSig
);
} // extern "C"
#ifdef ALLOC_PRAGMA
#pragma alloc_text(PAGE, NtLmInitKernelPackage)
#pragma alloc_text(PAGE, NtLmDeleteKernelContext)
#pragma alloc_text(PAGE, NtLmInitKernelContext)
#pragma alloc_text(PAGE, NtLmMapKernelHandle)
#pragma alloc_text(PAGEMSG, NtLmMakeSignature)
#pragma alloc_text(PAGEMSG, NtLmVerifySignature)
#pragma alloc_text(PAGEMSG, NtLmSealMessage)
#pragma alloc_text(PAGEMSG, NtLmUnsealMessage)
#pragma alloc_text(PAGEMSG, NtLmGetContextToken)
#pragma alloc_text(PAGEMSG, NtLmQueryContextAttributes)
#pragma alloc_text(PAGEMSG, NtlmDerefContext )
#pragma alloc_text(PAGE, NtLmCompleteToken)
#pragma alloc_text(PAGE, NtLmExportSecurityContext)
#pragma alloc_text(PAGE, NtLmImportSecurityContext)
#pragma alloc_text(PAGEMSG, NtlmFreeKernelContext )
#pragma alloc_text(PAGE, NtLmCreateKernelModeContext )
#pragma alloc_text(PAGE, NtLmMakePackedContext )
#pragma alloc_text(PAGEMSG, SspGenCheckSum)
#pragma alloc_text(PAGEMSG, SspEncryptBuffer)
#pragma alloc_text(PAGE, SspRc4Key)
#pragma alloc_text(PAGEMSG, SspSignSealHelper)
#endif
SECPKG_KERNEL_FUNCTION_TABLE NtLmFunctionTable = {
NtLmInitKernelPackage,
NtLmDeleteKernelContext,
NtLmInitKernelContext,
NtLmMapKernelHandle,
NtLmMakeSignature,
NtLmVerifySignature,
NtLmSealMessage,
NtLmUnsealMessage,
NtLmGetContextToken,
NtLmQueryContextAttributes,
NtLmCompleteToken,
NtLmExportSecurityContext,
NtLmImportSecurityContext,
NtlmSetPagingMode
};
PSECPKG_KERNEL_FUNCTIONS LsaKernelFunctions;
POOL_TYPE NtlmPoolType ;
PVOID NtlmPagedList ;
PVOID NtlmNonPagedList ;
PVOID NtlmActiveList ;
#define MAYBE_PAGED_CODE() \
if ( NtlmPoolType == PagedPool ) \
{ \
PAGED_CODE(); \
}
//+-------------------------------------------------------------------------
//
// Function: FreeKernelContext
//
// Synopsis: frees alloced pointers in this context and
// then frees the context
//
// Arguments: KernelContext - the unlinked kernel context
//
// Returns: STATUS_SUCCESS on success
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS
NtlmFreeKernelContext (
PNTLM_KERNEL_CONTEXT KernelContext
)
{
NTSTATUS Status = STATUS_SUCCESS;
MAYBE_PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering FreeKernelContext\n" ));
if (KernelContext->ContextNames != NULL)
{
NtLmFree (KernelContext->ContextNames);
}
if (KernelContext->ClientTokenHandle != NULL)
{
NTSTATUS IgnoreStatus;
#ifdef DEFENSIVE_HANDLES
OBJECT_HANDLE_FLAG_INFORMATION HandleInfo ;
HandleInfo.Inherit = FALSE ;
HandleInfo.ProtectFromClose = FALSE ;
IgnoreStatus = ZwSetInformationObject(
KernelContext->ClientTokenHandle,
ObjectHandleFlagInformation,
&HandleInfo,
sizeof(HandleInfo) );
ASSERT( NT_SUCCESS( IgnoreStatus ) );
#endif
IgnoreStatus = NtClose( KernelContext->ClientTokenHandle);
ASSERT (NT_SUCCESS (IgnoreStatus));
}
if (KernelContext->AccessToken != NULL)
{
ObDereferenceObject (KernelContext->AccessToken);
}
DebugLog(( DEB_TRACE, "Deleting Context 0x%lx\n", KernelContext));
NtLmFree (KernelContext);
DebugLog(( DEB_TRACE, "Leaving FreeKernelContext: 0x%lx\n", Status ));
return Status;
}
//+---------------------------------------------------------------------------
//
// Function: NtlmDerefContext
//
// Synopsis: Dereference a kernel context
//
// Arguments: [Context] --
//
// History: 7-07-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
VOID
NtlmDerefContext(
PNTLM_KERNEL_CONTEXT Context
)
{
BOOLEAN Delete ;
MAYBE_PAGED_CODE();
KSecDereferenceListEntry(
&Context->List,
&Delete );
if ( Delete )
{
NtlmFreeKernelContext( Context );
}
}
//+-------------------------------------------------------------------------
//
// Function: NtLmInitKernelPackage
//
// Synopsis: Initialize an instance of the NtLm package in
// a client's (kernel) address space
//
// Arguments: None
//
// Returns: STATUS_SUCCESS or
// returns from ExInitializeResource
//
// Notes: we do what was done in SpInstanceInit()
// from security\msv_sspi\userapi.cxx
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmInitKernelPackage(
IN PSECPKG_KERNEL_FUNCTIONS KernelFunctions
)
{
NTSTATUS Status = STATUS_SUCCESS;
PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmInitKernelPackage\n" ));
LsaKernelFunctions = KernelFunctions;
//
// Set up Context list support:
//
NtlmPoolType = PagedPool ;
NtlmPagedList = LsaKernelFunctions->CreateContextList( KSecPaged );
if ( !NtlmPagedList )
{
return STATUS_NO_MEMORY ;
}
NtlmActiveList = NtlmPagedList ;
DebugLog(( DEB_TRACE, "Leaving NtLmInitKernelPackage 0x%lx\n", Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmDeleteKernelContext
//
// Synopsis: Deletes a kernel mode context by unlinking it and then
// dereferencing it.
//
// Effects:
//
// Arguments: KernelContextHandle - Kernel context handle of the context to delete
// LsaContextHandle - The Lsa mode handle
//
// Requires:
//
// Returns: STATUS_SUCCESS on success, STATUS_INVALID_HANDLE if the
// context can't be located
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmDeleteKernelContext(
IN ULONG_PTR KernelContextHandle,
OUT PULONG_PTR LsaContextHandle
)
{
PNTLM_KERNEL_CONTEXT pContext = NULL;
NTSTATUS Status = STATUS_SUCCESS, SaveStatus = STATUS_SUCCESS;
PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmDeleteKernelContext\n" ));
Status = NtlmReferenceContext( KernelContextHandle, TRUE );
if ( NT_SUCCESS( Status ) )
{
pContext = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
}
else
{
*LsaContextHandle = KernelContextHandle;
DebugLog(( DEB_ERROR,
"Bad kernel context 0x%lx\n", KernelContextHandle));
goto CleanUp;
}
*LsaContextHandle = pContext->LsaContext;
if ((pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT) != 0)
{
// Ignore all other errors and pass back
SaveStatus = SEC_I_NO_LSA_CONTEXT;
}
CleanUp:
if (pContext != NULL)
{
NtlmDerefContext( pContext );
}
if (SaveStatus == SEC_I_NO_LSA_CONTEXT)
{
Status = SaveStatus;
}
DebugLog(( DEB_TRACE, "Leaving NtLmDeleteKernelContext 0x%lx\n", Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmInitKernelContext
//
// Synopsis: Creates a kernel-mode context from a packed LSA mode context
//
// Arguments: LsaContextHandle - Lsa mode context handle for the context
// PackedContext - A marshalled buffer containing the LSA
// mode context.
//
// Requires:
//
// Returns: STATUS_SUCCESS or STATUS_INSUFFICIENT_RESOURCES
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmInitKernelContext(
IN ULONG_PTR LsaContextHandle,
IN PSecBuffer PackedContext,
OUT PULONG_PTR NewContextHandle
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT pContext = NULL;
PNTLM_PACKED_CONTEXT pTmpContext = (PNTLM_PACKED_CONTEXT) PackedContext->pvBuffer;
PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmInitKernelContext\n" ));
*NewContextHandle = NULL;
if (PackedContext->cbBuffer < sizeof(NTLM_PACKED_CONTEXT))
{
Status = STATUS_INVALID_PARAMETER;
DebugLog(( DEB_ERROR,
"Bad size of Packed context 0x%lx\n", PackedContext->cbBuffer));
goto Cleanup;
}
pContext = (PNTLM_KERNEL_CONTEXT) NtLmAllocate(
sizeof(NTLM_KERNEL_CONTEXT) +
pTmpContext->MarshalledTargetInfoLength
);
if (!pContext)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
DebugLog(( DEB_ERROR, "Allocation error for pContext\n"));
goto Cleanup;
}
RtlZeroMemory(
pContext,
sizeof(NTLM_KERNEL_CONTEXT)
);
KsecInitializeListEntry( &pContext->List, NTLM_CONTEXT_SIGNATURE );
// Copy contents of PackedContext->pvBuffer to pContext
pContext->ClientTokenHandle = (HANDLE) ULongToPtr(pTmpContext->ClientTokenHandle);
#ifdef DEFENSIVE_HANDLES
if ( pContext->ClientTokenHandle )
{
OBJECT_HANDLE_FLAG_INFORMATION HandleInfo ;
POBJECT_TYPE_INFORMATION TypeInfo ;
NTSTATUS IgnoreStatus = STATUS_SUCCESS ;
UNICODE_STRING TokenTypeName ;
TypeInfo = (POBJECT_TYPE_INFORMATION) ExAllocatePoolWithTag( PagedPool, sizeof( OBJECT_TYPE_INFORMATION ) + 16, NTLM_KRNL_POOL_TAG );
if ( TypeInfo )
{
IgnoreStatus = ZwQueryObject(pContext->ClientTokenHandle,
ObjectTypeInformation,
TypeInfo,
(sizeof( OBJECT_TYPE_INFORMATION ) + 16 ),
NULL );
if ( NT_SUCCESS( IgnoreStatus ) )
{
RtlInitUnicodeString( &TokenTypeName, L"Token" );
if ( !RtlEqualUnicodeString( &TypeInfo->TypeName, &TokenTypeName, FALSE ))
{
IgnoreStatus = STATUS_INVALID_HANDLE ;
}
}
else if ( IgnoreStatus != STATUS_INVALID_HANDLE )
{
IgnoreStatus = STATUS_SUCCESS ;
}
ExFreePool( TypeInfo );
}
if ( !NT_SUCCESS( IgnoreStatus ) )
{
ASSERT( NT_SUCCESS( IgnoreStatus ) );
Status = IgnoreStatus ;
DebugLog(( DEB_ERROR, "Bad token handle from LSA: %p\n", pContext->ClientTokenHandle ));
goto Cleanup;
}
HandleInfo.Inherit = FALSE ;
HandleInfo.ProtectFromClose = TRUE ;
IgnoreStatus = ZwSetInformationObject(
pContext->ClientTokenHandle,
ObjectHandleFlagInformation,
&HandleInfo,
sizeof( HandleInfo ) );
}
#endif
pContext->LsaContext = LsaContextHandle;
pContext->NegotiateFlags = pTmpContext->NegotiateFlags;
//
// keep all 128 bits here, so signing can be strong even if encrypt can't be
//
RtlCopyMemory( pContext->SessionKey,
pTmpContext->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH);
//
// if doing full duplex as part of NTLM2, generate different sign
// and seal keys for each direction
// all we do is MD5 the base session key with a different magic constant
//
if ( pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2 ) {
MD5_CTX Md5Context;
ULONG KeyLen;
ASSERT(MD5DIGESTLEN == MSV1_0_USER_SESSION_KEY_LENGTH);
if( pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_128 )
KeyLen = 16;
else if( pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_56 )
KeyLen = 7;
else
KeyLen = 5;
// DebugLog(( SSP_SESSION_KEYS, "NTLMv2 session key size: %lu\n", KeyLen));
//
// make client to server encryption key
//
MD5Init(&Md5Context);
MD5Update(&Md5Context, pContext->SessionKey, KeyLen);
MD5Update(&Md5Context, (unsigned char*)CSSEALMAGIC, sizeof(CSSEALMAGIC));
MD5Final(&Md5Context);
//
// if TokenHandle == NULL, this is the client side
// put key in the right place: for client it's seal, for server it's unseal
//
if (pContext->ClientTokenHandle == NULL)
RtlCopyMemory(pContext->SealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
else
RtlCopyMemory(pContext->UnsealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
//
// make server to client encryption key
//
MD5Init(&Md5Context);
MD5Update(&Md5Context, pContext->SessionKey, KeyLen);
MD5Update(&Md5Context, (unsigned char*)SCSEALMAGIC, sizeof(SCSEALMAGIC));
MD5Final(&Md5Context);
ASSERT(MD5DIGESTLEN == MSV1_0_USER_SESSION_KEY_LENGTH);
if (pContext->ClientTokenHandle == NULL)
RtlCopyMemory(pContext->UnsealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
else
RtlCopyMemory(pContext->SealSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
//
// make client to server signing key -- always 128 bits!
//
MD5Init(&Md5Context);
MD5Update(&Md5Context, pContext->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH);
MD5Update(&Md5Context, (unsigned char*)CSSIGNMAGIC, sizeof(CSSIGNMAGIC));
MD5Final(&Md5Context);
if (pContext->ClientTokenHandle == NULL)
RtlCopyMemory(pContext->SignSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
else
RtlCopyMemory(pContext->VerifySessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
//
// make server to client signing key
//
MD5Init(&Md5Context);
MD5Update(&Md5Context, pContext->SessionKey, MSV1_0_USER_SESSION_KEY_LENGTH);
MD5Update(&Md5Context, (unsigned char*)SCSIGNMAGIC, sizeof(SCSIGNMAGIC));
MD5Final(&Md5Context);
if (pContext->ClientTokenHandle == NULL)
RtlCopyMemory(pContext->VerifySessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
else
RtlCopyMemory(pContext->SignSessionKey, Md5Context.digest, MSV1_0_USER_SESSION_KEY_LENGTH);
//
// set pointers to different key schedule and nonce for each direction
// key schedule will be filled in later...
//
pContext->pSealRc4Sched = &pContext->SealRc4Sched;
pContext->pUnsealRc4Sched = &pContext->UnsealRc4Sched;
pContext->pSendNonce = &pContext->SendNonce;
pContext->pRecvNonce = &pContext->RecvNonce;
} else {
//
// just copy session key to all four keys
// leave them 128 bits -- they get cut to 40 bits later
//
RtlCopyMemory( pContext->SealSessionKey,
pContext->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH);
RtlCopyMemory( pContext->UnsealSessionKey,
pContext->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH);
RtlCopyMemory( pContext->SignSessionKey,
pContext->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH);
RtlCopyMemory( pContext->VerifySessionKey,
pContext->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH);
//
// set pointers to share a key schedule and nonce for each direction
// (OK because half duplex!)
//
pContext->pSealRc4Sched = &pContext->SealRc4Sched;
pContext->pUnsealRc4Sched = &pContext->SealRc4Sched;
pContext->pSendNonce = &pContext->SendNonce;
pContext->pRecvNonce = &pContext->SendNonce;
}
if ( pTmpContext->ContextNameLength == 0 )
{
//There's no string after the NTLM_KERNEL_CONTEXT struct
pContext->ContextNames = NULL;
}
else
{
pContext->ContextNames = (LPWSTR) NtLmAllocate( pTmpContext->ContextNameLength );
if (!pContext->ContextNames)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
RtlCopyMemory(pContext->ContextNames,
(PUCHAR) pTmpContext + pTmpContext->ContextNames,
pTmpContext->ContextNameLength );
}
if( pTmpContext->MarshalledTargetInfo )
{
pContext->pbMarshalledTargetInfo = (PUCHAR)(pContext+1);
pContext->cbMarshalledTargetInfo = pTmpContext->MarshalledTargetInfoLength;
RtlCopyMemory( pContext->pbMarshalledTargetInfo,
(PUCHAR) pTmpContext + pTmpContext->MarshalledTargetInfo,
pTmpContext->MarshalledTargetInfoLength );
}
pContext->SendNonce = pTmpContext->SendNonce;
pContext->RecvNonce = pTmpContext->RecvNonce;
SspRc4Key(pContext->NegotiateFlags, &pContext->SealRc4Sched, pContext->SealSessionKey);
SspRc4Key(pContext->NegotiateFlags, &pContext->UnsealRc4Sched, pContext->UnsealSessionKey);
pContext->PasswordExpiry = pTmpContext->PasswordExpiry;
pContext->UserFlags = pTmpContext->UserFlags;
KSecInsertListEntry(
NtlmActiveList,
&pContext->List );
NtlmDerefContext( pContext );
*NewContextHandle = (ULONG_PTR) pContext;
Cleanup:
if (!NT_SUCCESS(Status))
{
if (pContext != NULL)
{
NtlmFreeKernelContext( pContext );
}
}
if (PackedContext->pvBuffer != NULL)
{
LsaKernelFunctions->FreeHeap(PackedContext->pvBuffer);
PackedContext->pvBuffer = NULL;
}
DebugLog(( DEB_TRACE, "Leaving NtLmInitKernelContext 0x%lx\n", Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmMapKernelHandle
//
// Synopsis: Maps a kernel handle into an LSA handle
//
// Arguments: KernelContextHandle - Kernel context handle of the context to map
// LsaContextHandle - Receives LSA context handle of the context
// to map
//
// Returns: STATUS_SUCCESS on success
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmMapKernelHandle(
IN ULONG_PTR KernelContextHandle,
OUT PULONG_PTR LsaContextHandle
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT Context = NULL;
PAGED_CODE();
DebugLog((DEB_TRACE,"Entering NtLmMapKernelhandle\n"));
Status = NtlmReferenceContext( KernelContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
Context = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
*LsaContextHandle = Context->LsaContext ;
NtlmDerefContext( Context );
}
else
{
DebugLog(( DEB_WARN, "Invalid context handle - %x\n",
KernelContextHandle ));
*LsaContextHandle = KernelContextHandle ;
}
DebugLog((DEB_TRACE,"Leaving NtLmMapKernelhandle 0x%lx\n", Status));
return (Status);
}
//
// Bogus add-shift check sum
//
void
SspGenCheckSum(
IN PSecBuffer pMessage,
OUT PNTLMSSP_MESSAGE_SIGNATURE pSig
)
/*++
RoutineDescription:
Generate a crc-32 checksum for a buffer
Arguments:
Return Value:
Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
routine SspGenCheckSum. It's possible that
bugs got copied too
--*/
{
MAYBE_PAGED_CODE();
Crc32(pSig->CheckSum,pMessage->cbBuffer,pMessage->pvBuffer,&pSig->CheckSum);
}
VOID
SspEncryptBuffer(
IN PNTLM_KERNEL_CONTEXT pContext,
IN struct RC4_KEYSTRUCT * pRc4Key,
IN ULONG BufferSize,
IN OUT PVOID Buffer
)
/*++
RoutineDescription:
Encrypts a buffer with the RC4 key in the context. If the context
is for a datagram session, then the key is copied before being used
to encrypt the buffer.
Arguments:
pContext - Context containing the key to encrypt the data
BufferSize - Length of buffer in bytes
Buffer - Buffer to encrypt.
Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
routine SspEncryptBuffer. It's possible that
bugs got copied too
Return Value:
--*/
{
MAYBE_PAGED_CODE();
struct RC4_KEYSTRUCT TemporaryKey;
struct RC4_KEYSTRUCT * EncryptionKey = pRc4Key;
if (BufferSize == 0)
{
return;
}
//
// For datagram (application supplied sequence numbers) before NTLM2
// we used to copy the key before encrypting so we don't
// have a changing key; but that reused the key stream. Now we only
// do that when backwards compatibility is explicitly called for.
//
if (((pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) != 0) &&
((pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) == 0) ) {
RtlCopyMemory(
&TemporaryKey,
EncryptionKey,
sizeof(TemporaryKey)
);
EncryptionKey = &TemporaryKey;
}
rc4(
EncryptionKey,
BufferSize,
(PUCHAR) Buffer
);
}
VOID
SspRc4Key(
IN ULONG NegotiateFlags,
OUT struct RC4_KEYSTRUCT *pRc4Key,
IN PUCHAR pSessionKey
)
/*++
RoutineDescription:
Create an RC4 key schedule, making sure key length is OK for export
Arguments:
NegotiateFlags negotiate feature flags; NTLM2 bit is only one looked at
pRc4Key pointer to RC4 key schedule structure; filled in by this routine
pSessionKey pointer to session key -- must be full 16 bytes
Return Value:
--*/
{
PAGED_CODE();
//
// For NTLM2, effective length was already cut down
//
if ((NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) != 0) {
rc4_key(pRc4Key, MSV1_0_USER_SESSION_KEY_LENGTH, pSessionKey);
} else if( NegotiateFlags & NTLMSSP_NEGOTIATE_LM_KEY ) {
UCHAR Key[MSV1_0_LANMAN_SESSION_KEY_LENGTH];
ULONG KeyLen;
ASSERT(MSV1_0_LANMAN_SESSION_KEY_LENGTH == 8);
// prior to Win2k, negotiated key strength had no bearing on
// key size. So, to allow proper interop to NT4, we don't
// worry about 128bit. 56bit and 40bit are the only supported options.
// 56bit is enabled because this was introduced in Win2k, and
// Win2k -> Win2k interops correctly.
//
#if 0
if( NegotiateFlags & NTLMSSP_NEGOTIATE_128 ) {
KeyLen = 8;
} else
#endif
if( NegotiateFlags & NTLMSSP_NEGOTIATE_56 ) {
KeyLen = 7;
//
// Put a well-known salt at the end of the key to
// limit the changing part to 56 bits.
//
Key[7] = 0xa0;
} else {
KeyLen = 5;
//
// Put a well-known salt at the end of the key to
// limit the changing part to 40 bits.
//
Key[5] = 0xe5;
Key[6] = 0x38;
Key[7] = 0xb0;
}
/// DebugLog(( SSP_SESSION_KEYS, "Non NTLMv2 session key size: %lu\n", KeyLen));
RtlCopyMemory(Key,pSessionKey,KeyLen);
rc4_key(pRc4Key, MSV1_0_LANMAN_SESSION_KEY_LENGTH, Key);
} else {
rc4_key(pRc4Key, MSV1_0_USER_SESSION_KEY_LENGTH, pSessionKey);
}
}
SECURITY_STATUS
SspSignSealHelper(
IN PNTLM_KERNEL_CONTEXT pContext,
IN eSignSealOp Op,
IN OUT PSecBufferDesc pMessage,
IN ULONG MessageSeqNo,
OUT PNTLMSSP_MESSAGE_SIGNATURE pSig,
OUT PNTLMSSP_MESSAGE_SIGNATURE * ppSig
)
/*++
RoutineDescription:
Handle signing a message
Arguments:
Return Value:
--*/
{
HMACMD5_CTX HMACMD5Context;
UCHAR TempSig[MD5DIGESTLEN];
NTLMSSP_MESSAGE_SIGNATURE Sig;
int Signature;
ULONG i;
PUCHAR pKey; // ptr to key to use for encryption
PUCHAR pSignKey; // ptr to key to use for signing
PULONG pNonce; // ptr to nonce to use
struct RC4_KEYSTRUCT * pRc4Sched; // ptr to key schedule to use
NTLMSSP_MESSAGE_SIGNATURE AlignedSig;
MAYBE_PAGED_CODE();
Signature = -1;
for (i = 0; i < pMessage->cBuffers; i++)
{
if ((pMessage->pBuffers[i].BufferType & 0xFF) == SECBUFFER_TOKEN)
{
Signature = i;
break;
}
}
if (Signature == -1)
{
return(SEC_E_INVALID_TOKEN);
}
if (pMessage->pBuffers[Signature].cbBuffer < NTLMSSP_MESSAGE_SIGNATURE_SIZE)
{
return(SEC_E_INVALID_TOKEN);
}
*ppSig = (NTLMSSP_MESSAGE_SIGNATURE*)pMessage->pBuffers[Signature].pvBuffer;
RtlCopyMemory( &AlignedSig, *ppSig, sizeof(AlignedSig) );
//
// If sequence detect wasn't requested, put on an empty
// security token . Don't do the check if Seal/Unseal is called.
//
if (!(pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) &&
(Op == eSign || Op == eVerify))
{
RtlZeroMemory(pSig,NTLMSSP_MESSAGE_SIGNATURE_SIZE);
pSig->Version = NTLM_SIGN_VERSION;
return(SEC_E_OK);
}
// figure out which key, key schedule, and nonce to use
// depends on the op. SspAddLocalContext set up so that code on client
// and server just (un)seals with (un)seal key or key schedule, etc.
// and also sets pointers to share sending/receiving key schedule/nonce
// when in half duplex mode. Hence, this code gets to act as if it were
// always in full duplex mode.
switch (Op) {
case eSeal:
pSignKey = pContext->SignSessionKey; // if NTLM2
pKey = pContext->SealSessionKey;
pRc4Sched = pContext->pSealRc4Sched;
pNonce = pContext->pSendNonce;
break;
case eUnseal:
pSignKey = pContext->VerifySessionKey; // if NTLM2
pKey = pContext->UnsealSessionKey;
pRc4Sched = pContext->pUnsealRc4Sched;
pNonce = pContext->pRecvNonce;
break;
case eSign:
pSignKey = pContext->SignSessionKey; // if NTLM2
pKey = pContext->SealSessionKey; // might be used to encrypt the signature
pRc4Sched = pContext->pSealRc4Sched;
pNonce = pContext->pSendNonce;
break;
case eVerify:
pSignKey = pContext->VerifySessionKey; // if NTLM2
pKey = pContext->UnsealSessionKey; // might be used to decrypt the signature
pRc4Sched = pContext->pUnsealRc4Sched;
pNonce = pContext->pRecvNonce;
break;
default:
ASSERT(FALSE);
return(STATUS_INVALID_LEVEL);
}
//
// Either we can supply the sequence number, or
// the application can supply the message sequence number.
//
Sig.Version = NTLM_SIGN_VERSION;
// if we're doing the new NTLM2 version:
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2) {
if ((pContext->NegotiateFlags & NTLMSSP_APP_SEQ) == 0)
{
Sig.Nonce = *pNonce; // use our sequence number
(*pNonce) += 1;
}
else {
if (Op == eSeal || Op == eSign || MessageSeqNo != 0)
Sig.Nonce = MessageSeqNo;
else
Sig.Nonce = AlignedSig.Nonce;
// if using RC4, must rekey for each packet
// RC4 is used for seal, unseal; and for encrypting the HMAC hash if
// key exchange was negotiated (we use just HMAC if no key exchange,
// so that a good signing option exists with no RC4 encryption needed)
if (Op == eSeal || Op == eUnseal || pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH)
{
MD5_CTX Md5ContextReKey;
MD5Init(&Md5ContextReKey);
MD5Update(&Md5ContextReKey, pKey, MSV1_0_USER_SESSION_KEY_LENGTH);
MD5Update(&Md5ContextReKey, (unsigned char*)&Sig.Nonce, sizeof(Sig.Nonce));
MD5Final(&Md5ContextReKey);
ASSERT(MD5DIGESTLEN == MSV1_0_USER_SESSION_KEY_LENGTH);
SspRc4Key(pContext->NegotiateFlags, pRc4Sched, Md5ContextReKey.digest);
}
}
//
// using HMAC hash, init it with the key
//
HMACMD5Init(&HMACMD5Context, pSignKey, MSV1_0_USER_SESSION_KEY_LENGTH);
//
// include the message sequence number
//
HMACMD5Update(&HMACMD5Context, (unsigned char*)&Sig.Nonce, sizeof(Sig.Nonce));
for (i = 0; i < pMessage->cBuffers ; i++ )
{
if (((pMessage->pBuffers[i].BufferType & 0xFF) == SECBUFFER_DATA) &&
(pMessage->pBuffers[i].cbBuffer != 0))
{
if ((pMessage->pBuffers[i].BufferType & (SECBUFFER_READONLY | SECBUFFER_READONLY_WITH_CHECKSUM))
== (SECBUFFER_READONLY | SECBUFFER_READONLY_WITH_CHECKSUM))
{
//
// FESTER: return INVALID_TOKEN because of data buffers
//
return SEC_E_INVALID_TOKEN;
}
// decrypt (before checksum...) if it's not READ_ONLY
if ( (Op == eUnseal)
&& !(pMessage->pBuffers[i].BufferType & (SECBUFFER_READONLY | SECBUFFER_READONLY_WITH_CHECKSUM) )
)
{
SspEncryptBuffer(
pContext,
pRc4Sched,
pMessage->pBuffers[i].cbBuffer,
pMessage->pBuffers[i].pvBuffer
);
}
HMACMD5Update(
&HMACMD5Context,
(unsigned char*)pMessage->pBuffers[i].pvBuffer,
pMessage->pBuffers[i].cbBuffer);
//
// Encrypt if its not READ_ONLY
//
if ( (Op == eSeal)
&& !(pMessage->pBuffers[i].BufferType & (SECBUFFER_READONLY | SECBUFFER_READONLY_WITH_CHECKSUM) )
)
{
SspEncryptBuffer(
pContext,
pRc4Sched,
pMessage->pBuffers[i].cbBuffer,
pMessage->pBuffers[i].pvBuffer
);
}
}
}
HMACMD5Final(&HMACMD5Context, TempSig);
//
// use RandomPad and Checksum fields for 8 bytes of MD5 hash
//
RtlCopyMemory(&Sig.RandomPad, TempSig, 8);
//
// if we're using crypto for KEY_EXCH, may as well use it for signing too...
//
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_KEY_EXCH)
SspEncryptBuffer(
pContext,
pRc4Sched,
8,
&Sig.RandomPad
);
}
//
// pre-NTLM2 methods
//
else {
//
// required by CRC-32 algorithm
//
Sig.CheckSum = 0xffffffff;
for (i = 0; i < pMessage->cBuffers ; i++ )
{
if (((pMessage->pBuffers[i].BufferType & 0xFF) == SECBUFFER_DATA)
&& (pMessage->pBuffers[i].cbBuffer != 0))
{
if ((pMessage->pBuffers[i].BufferType & (SECBUFFER_READONLY | SECBUFFER_READONLY_WITH_CHECKSUM))
== (SECBUFFER_READONLY | SECBUFFER_READONLY_WITH_CHECKSUM))
{
//
// FESTER: return invalid token because of data buffers
//
return SEC_E_INVALID_TOKEN;
}
//
// retain the "read-only" semantics for NTLMv1
//
if (pMessage->pBuffers[i].BufferType & SECBUFFER_READONLY)
{
continue;
}
// decrypt (before checksum...)
if ( (Op == eUnseal)
&& !(pMessage->pBuffers[i].BufferType & SECBUFFER_READONLY_WITH_CHECKSUM) )
{
SspEncryptBuffer(
pContext,
pRc4Sched,
pMessage->pBuffers[i].cbBuffer,
pMessage->pBuffers[i].pvBuffer
);
}
SspGenCheckSum(&pMessage->pBuffers[i], &Sig);
// Encrypt
if ( (Op == eSeal)
&& !(pMessage->pBuffers[i].BufferType & SECBUFFER_READONLY_WITH_CHECKSUM) )
{
SspEncryptBuffer(
pContext,
pRc4Sched,
pMessage->pBuffers[i].cbBuffer,
pMessage->pBuffers[i].pvBuffer
);
}
}
}
//
// Required by CRC-32 algorithm
//
Sig.CheckSum ^= 0xffffffff;
// when we encrypt 0, we will get the cipher stream for the nonce!
Sig.Nonce = 0;
SspEncryptBuffer(
pContext,
pRc4Sched,
sizeof(NTLMSSP_MESSAGE_SIGNATURE) - sizeof(ULONG),
&Sig.RandomPad
);
if ((pContext->NegotiateFlags & NTLMSSP_APP_SEQ) == 0)
{
Sig.Nonce ^= *pNonce; // use our sequence number and encrypt it
(*pNonce) += 1;
}
else if (Op == eSeal || Op == eSign || MessageSeqNo != 0)
Sig.Nonce ^= MessageSeqNo; // use caller's sequence number and encrypt it
else
Sig.Nonce = AlignedSig.Nonce; // use sender's sequence number
//
// for SignMessage calling, does nothing (copies garbage)
// For VerifyMessage calling, allows it to compare sig block
// upon return to Verify without knowing whether its MD5 or CRC32
//
Sig.RandomPad = AlignedSig.RandomPad;
}
pMessage->pBuffers[Signature].cbBuffer = sizeof(NTLMSSP_MESSAGE_SIGNATURE);
RtlCopyMemory(
pSig,
&Sig,
NTLMSSP_MESSAGE_SIGNATURE_SIZE
);
return(SEC_E_OK);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmMakeSignature
//
// Synopsis: Signs a message buffer by calculatinga checksum over all
// the non-read only data buffers and encrypting the checksum
// along with a nonce.
//
// Effects:
//
// Arguments: KernelContextHandle - Handle of the context to use to sign the
// message.
// QualityOfProtection - Unused flags.
// MessageBuffers - Contains an array of buffers to sign and
// to store the signature.
// MessageSequenceNumber - Sequence number for this message,
// only used in datagram cases.
//
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
// was not configured for message integrity.
// STATUS_INVALID_PARAMETER - the signature buffer could not
// be found.
// STATUS_BUFFER_TOO_SMALL - the signature buffer is too small
// to hold the signature
//
// Returns:
//
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
// routine SspHandleSignMessage. It's possible that
// bugs got copied too
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmMakeSignature(
IN ULONG_PTR KernelContextHandle,
IN ULONG fQOP,
IN PSecBufferDesc pMessage,
IN ULONG MessageSeqNo
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT pContext;
NTLMSSP_MESSAGE_SIGNATURE Sig;
NTLMSSP_MESSAGE_SIGNATURE *pSig;
MAYBE_PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmMakeSignature\n" ));
UNREFERENCED_PARAMETER(fQOP);
Status = NtlmReferenceContext( KernelContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
pContext = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
}
else
{
DebugLog(( DEB_ERROR,
"Bad kernel context 0x%lx\n", KernelContextHandle));
goto CleanUp_NoDeref;
}
Status = SspSignSealHelper(
pContext,
eSign,
pMessage,
MessageSeqNo,
&Sig,
&pSig
);
if( !NT_SUCCESS( Status ) )
{
DebugLog(( DEB_ERROR, "NtLmMakeSignature, SspSignSealHelper returns %lx\n", Status ));
goto CleanUp;
}
RtlCopyMemory(
pSig,
&Sig,
NTLMSSP_MESSAGE_SIGNATURE_SIZE
);
CleanUp:
NtlmDerefContext( pContext );
CleanUp_NoDeref:
DebugLog(( DEB_TRACE, "Leaving NtLmMakeSignature 0x%lx\n", Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmVerifySignature
//
// Synopsis: Verifies a signed message buffer by calculating a checksum over all
// the non-read only data buffers and encrypting the checksum
// along with a nonce.
//
// Effects:
//
// Arguments: KernelContextHandle - Handle of the context to use to sign the
// message.
// MessageBuffers - Contains an array of signed buffers and
// a signature buffer.
// MessageSequenceNumber - Sequence number for this message,
// only used in datagram cases.
// QualityOfProtection - Unused flags.
//
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
// was not configured for message integrity.
// STATUS_INVALID_PARAMETER - the signature buffer could not
// be found or was too small.
//
// Returns:
//
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
// routine SspHandleVerifyMessage. It's possible that
// bugs got copied too
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmVerifySignature(
IN ULONG_PTR KernelContextHandle,
IN PSecBufferDesc pMessage,
IN ULONG MessageSeqNo,
OUT PULONG pfQOP
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT pContext;
NTLMSSP_MESSAGE_SIGNATURE Sig;
PNTLMSSP_MESSAGE_SIGNATURE pSig; // pointer to buffer with sig in it
NTLMSSP_MESSAGE_SIGNATURE AlignedSig; // Aligned sig buffer.
MAYBE_PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmVerifySignature\n" ));
UNREFERENCED_PARAMETER(pfQOP);
Status = NtlmReferenceContext( KernelContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
pContext = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
}
else
{
DebugLog(( DEB_ERROR,
"Bad kernel context 0x%lx\n", KernelContextHandle));
goto CleanUp_NoDeref;
}
Status = SspSignSealHelper(
pContext,
eVerify,
pMessage,
MessageSeqNo,
&Sig,
&pSig
);
if( !NT_SUCCESS( Status ) )
{
DebugLog(( DEB_ERROR, "NtLmVerifySignature, SspSignSealHelper returns %lx\n", Status ));
goto CleanUp;
}
RtlCopyMemory( &AlignedSig, pSig, sizeof( AlignedSig ) );
if (AlignedSig.Version != NTLM_SIGN_VERSION) {
Status = SEC_E_INVALID_TOKEN;
goto CleanUp;
}
// validate the signature...
if (AlignedSig.CheckSum != Sig.CheckSum)
{
Status = SEC_E_MESSAGE_ALTERED;
goto CleanUp;
}
// with MD5 sig, this now matters!
if (AlignedSig.RandomPad != Sig.RandomPad)
{
Status = SEC_E_MESSAGE_ALTERED;
goto CleanUp;
}
if (AlignedSig.Nonce != Sig.Nonce)
{
Status = SEC_E_OUT_OF_SEQUENCE;
goto CleanUp;
}
CleanUp:
NtlmDerefContext( pContext );
CleanUp_NoDeref:
DebugLog(( DEB_TRACE, "Leaving NtLmVerifySignature 0x%lx\n", Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmSealMessage
//
// Synopsis: Verifies a signed message buffer by calculating a checksum over all
// the non-read only data buffers and encrypting the checksum
// along with a nonce.
//
// Effects:
//
// Arguments: KernelContextHandle - Handle of the context to use to sign the
// message.
// MessageBuffers - Contains an array of signed buffers and
// a signature buffer.
// MessageSequenceNumber - Sequence number for this message,
// only used in datagram cases.
// QualityOfProtection - Unused flags.
//
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
// was not configured for message integrity.
// STATUS_INVALID_PARAMETER - the signature buffer could not
// be found or was too small.
//
// Returns:
//
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
// routine SspHandleSealMessage. It's possible that
// bugs got copied too
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmSealMessage(
IN ULONG_PTR KernelContextHandle,
IN ULONG fQOP,
IN PSecBufferDesc pMessage,
IN ULONG MessageSeqNo
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT pContext;
NTLMSSP_MESSAGE_SIGNATURE Sig;
PNTLMSSP_MESSAGE_SIGNATURE pSig; // pointer to buffer where sig goes
MAYBE_PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmSealMessage\n" ));
UNREFERENCED_PARAMETER(fQOP);
Status = NtlmReferenceContext( KernelContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
pContext = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
}
else
{
DebugLog(( DEB_ERROR,
"Bad kernel context 0x%lx\n", KernelContextHandle));
goto CleanUp_NoDeref;
}
Status = SspSignSealHelper(
pContext,
eSeal,
pMessage,
MessageSeqNo,
&Sig,
&pSig
);
if (!NT_SUCCESS(Status))
{
DebugLog(( DEB_ERROR, "SpSealMessage, SspSignSealHelper returns %lx\n", Status ));
goto CleanUp;
}
RtlCopyMemory(
pSig,
&Sig,
NTLMSSP_MESSAGE_SIGNATURE_SIZE
);
CleanUp:
NtlmDerefContext( pContext );
CleanUp_NoDeref:
DebugLog(( DEB_TRACE, "Leaving NtLmSealMessage 0x%lx\n", Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmUnsealMessage
//
// Synopsis: Verifies a signed message buffer by calculating a checksum over all
// the non-read only data buffers and encrypting the checksum
// along with a nonce.
//
// Effects:
//
// Arguments: KernelContextHandle - Handle of the context to use to sign the
// message.
// MessageBuffers - Contains an array of signed buffers and
// a signature buffer.
// MessageSequenceNumber - Sequence number for this message,
// only used in datagram cases.
// QualityOfProtection - Unused flags.
//
// Requires: STATUS_INVALID_HANDLE - the context could not be found or
// was not configured for message integrity.
// STATUS_INVALID_PARAMETER - the signature buffer could not
// be found or was too small.
//
// Returns:
//
// Notes: This was stolen from net\svcdlls\ntlmssp\client\sign.c ,
// routine SspHandleUnsealMessage. It's possible that
// bugs got copied too
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmUnsealMessage(
IN ULONG_PTR KernelContextHandle,
IN PSecBufferDesc pMessage,
IN ULONG MessageSeqNo,
OUT PULONG pfQOP
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT pContext;
NTLMSSP_MESSAGE_SIGNATURE Sig;
PNTLMSSP_MESSAGE_SIGNATURE pSig; // pointer to buffer where sig goes
NTLMSSP_MESSAGE_SIGNATURE AlignedSig; // aligned buffer.
MAYBE_PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmUnsealMessage\n" ));
UNREFERENCED_PARAMETER(pfQOP);
Status = NtlmReferenceContext( KernelContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
pContext = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
}
else
{
DebugLog(( DEB_ERROR,
"Bad kernel context 0x%lx\n", KernelContextHandle));
goto CleanUp_NoDeref;
}
Status = SspSignSealHelper(
pContext,
eUnseal,
pMessage,
MessageSeqNo,
&Sig,
&pSig
);
if (!NT_SUCCESS(Status))
{
DebugLog(( DEB_ERROR, "SpUnsealMessage, SspSignSealHelper returns %lx\n", Status ));
goto CleanUp;
}
RtlCopyMemory( &AlignedSig, pSig, sizeof(AlignedSig) );
if (AlignedSig.Version != NTLM_SIGN_VERSION) {
Status = SEC_E_INVALID_TOKEN;
goto CleanUp;
}
// validate the signature...
if (AlignedSig.CheckSum != Sig.CheckSum)
{
Status = SEC_E_MESSAGE_ALTERED;
goto CleanUp;
}
if (AlignedSig.RandomPad != Sig.RandomPad)
{
Status = SEC_E_MESSAGE_ALTERED;
goto CleanUp;
}
if (AlignedSig.Nonce != Sig.Nonce)
{
Status = SEC_E_OUT_OF_SEQUENCE;
goto CleanUp;
}
CleanUp:
NtlmDerefContext( pContext );
CleanUp_NoDeref:
DebugLog(( DEB_TRACE, "Leaving NtLmUnsealMessage 0x%lx\n", Status ));
return (Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmGetContextToken
//
// Synopsis: returns a pointer to the token for a server-side context
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmGetContextToken(
IN ULONG_PTR KernelContextHandle,
OUT PHANDLE ImpersonationToken,
OUT OPTIONAL PACCESS_TOKEN *RawToken
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT pContext = NULL;
MAYBE_PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmGetContextToken\n" ));
Status = NtlmReferenceContext( KernelContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
pContext = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
}
else
{
DebugLog(( DEB_ERROR,
"Bad kernel context 0x%lx\n", KernelContextHandle));
goto CleanUp_NoDeref;
}
if (pContext->ClientTokenHandle == NULL)
{
DebugLog(( DEB_ERROR, "Invalid TokenHandle for context 0x%lx\n", pContext ));
Status= SEC_E_NO_IMPERSONATION;
goto CleanUp;
}
if (ARGUMENT_PRESENT(ImpersonationToken))
{
*ImpersonationToken = pContext->ClientTokenHandle;
}
if (ARGUMENT_PRESENT(RawToken))
{
if (pContext->ClientTokenHandle != NULL)
{
if (pContext->AccessToken == NULL)
{
Status = ObReferenceObjectByHandle(
pContext->ClientTokenHandle,
TOKEN_IMPERSONATE | TOKEN_QUERY,
NULL,
ExGetPreviousMode(),
(PVOID *) &pContext->AccessToken,
NULL);
}
}
if (NT_SUCCESS(Status))
{
ASSERT(pContext->AccessToken != NULL);
*RawToken = pContext->AccessToken;
}
}
CleanUp:
NtlmDerefContext( pContext );
CleanUp_NoDeref:
DebugLog(( DEB_TRACE, "Leaving NtLmGetContextToken 0x%lx\n", Status ));
return (Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmQueryContextAttributes
//
// Synopsis: Querys attributes of the specified context
// This API allows a customer of the security
// services to determine certain attributes of
// the context. These are: sizes, names, and lifespan.
//
// Effects:
//
// Arguments:
//
// ContextHandle - Handle to the context to query.
//
// Attribute - Attribute to query.
//
// #define SECPKG_ATTR_SIZES 0
// #define SECPKG_ATTR_NAMES 1
// #define SECPKG_ATTR_LIFESPAN 2
//
// Buffer - Buffer to copy the data into. The buffer must
// be large enough to fit the queried attribute.
//
//
// Requires:
//
// Returns:
//
// STATUS_SUCCESS - Call completed successfully
//
// STATUS_INVALID_HANDLE -- Credential/Context Handle is invalid
// STATUS_UNSUPPORTED_FUNCTION -- Function code is not supported
//
// Notes:
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmQueryContextAttributes(
IN ULONG_PTR KernelContextHandle,
IN ULONG Attribute,
IN OUT PVOID Buffer
)
{
NTSTATUS Status = STATUS_SUCCESS;
PSecPkgContext_NamesW ContextNames = NULL;
PSecPkgContext_DceInfo ContextDceInfo = NULL;
PSecPkgContext_SessionKey ContextSessionKeyInfo = NULL;
PSecPkgContext_Sizes ContextSizes = NULL;
PSecPkgContext_Flags ContextFlags = NULL;
PSecPkgContext_PasswordExpiry PasswordExpires;
PSecPkgContext_UserFlags UserFlags;
PSecPkgContext_PackageInfo PackageInfo = NULL;
PSecPkgContext_TargetInformation TargetInformation = NULL;
PNTLM_KERNEL_CONTEXT pContext = NULL;
unsigned int Length = 0;
MAYBE_PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmQueryContextAttributes\n" ));
Status = NtlmReferenceContext( KernelContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
pContext = (PNTLM_KERNEL_CONTEXT) KernelContextHandle ;
} else {
//
// for PACKAGE_INFO or NEGOTIATION_INFO, don't require a completed
// context.
//
if( (Attribute != SECPKG_ATTR_PACKAGE_INFO) &&
(Attribute != SECPKG_ATTR_NEGOTIATION_INFO)
)
{
DebugLog(( DEB_ERROR,
"Bad kernel context 0x%lx\n", KernelContextHandle));
goto CleanUp_NoDeref;
}
Status = STATUS_SUCCESS;
}
//
// Handle each of the various queried attributes
//
switch ( Attribute ) {
case SECPKG_ATTR_SIZES:
ContextSizes = (PSecPkgContext_Sizes) Buffer;
ContextSizes->cbMaxToken = NTLMSP_MAX_TOKEN_SIZE;
if (pContext->NegotiateFlags & (NTLMSSP_NEGOTIATE_ALWAYS_SIGN |
NTLMSSP_NEGOTIATE_SIGN |
NTLMSSP_NEGOTIATE_SEAL) ) {
ContextSizes->cbMaxSignature = NTLMSSP_MESSAGE_SIGNATURE_SIZE;
} else {
ContextSizes->cbMaxSignature = 0;
}
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) {
ContextSizes->cbBlockSize = 1;
ContextSizes->cbSecurityTrailer = NTLMSSP_MESSAGE_SIGNATURE_SIZE;
}
else
{
ContextSizes->cbBlockSize = 0;
ContextSizes->cbSecurityTrailer = 0;
}
break;
//
// No one uses the function so don't go to the overhead of maintaining
// the username in the context structure.
//
case SECPKG_ATTR_DCE_INFO:
ContextDceInfo = (PSecPkgContext_DceInfo) Buffer;
if (ContextDceInfo == NULL)
{
DebugLog(( DEB_ERROR, "Null buffer SECPKG_ATTR_DCE_INFO.\n" ));
Status = STATUS_INVALID_PARAMETER;
goto Cleanup;
}
if (pContext->ContextNames)
{
Length = (unsigned int) wcslen(pContext->ContextNames);
}
ContextDceInfo->pPac = (LPWSTR) LsaKernelFunctions->AllocateHeap(
(Length + 1) * sizeof(WCHAR));
if (ContextDceInfo->pPac != NULL)
{
RtlCopyMemory(
ContextDceInfo->pPac,
pContext->ContextNames,
Length * sizeof(WCHAR));
LPWSTR Temp = (LPWSTR)ContextDceInfo->pPac;
Temp[Length] = L'\0';
}
else
{
DebugLog(( DEB_ERROR, "Bad Context->pPac in SECPKG_ATTR_DCE_INFO.\n" ));
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
ContextDceInfo->AuthzSvc = 0;
break;
case SECPKG_ATTR_NAMES:
ContextNames = (PSecPkgContext_Names) Buffer;
if (ContextNames == NULL)
{
DebugLog(( DEB_ERROR, "Null buffer SECPKG_ATTR_NAMES.\n" ));
Status = STATUS_INVALID_PARAMETER;
goto Cleanup;
}
if (pContext->ContextNames)
{
Length = (unsigned int) wcslen(pContext->ContextNames);
DebugLog(( DEB_TRACE, "NtLmQueryContextAttributes: ContextNames length is 0x%lx\n", Length));
}
ContextNames->sUserName = (LPWSTR) LsaKernelFunctions->AllocateHeap(
(Length + 1) * sizeof(WCHAR));
if (ContextNames->sUserName != NULL)
{
RtlCopyMemory(
ContextNames->sUserName,
pContext->ContextNames,
Length * sizeof(WCHAR));
ContextNames->sUserName[Length] = L'\0';
}
else
{
DebugLog(( DEB_ERROR, "Bad Context->sUserName in SECPKG_ATTR_NAMES.\n" ));
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
break;
case SECPKG_ATTR_TARGET_INFORMATION:
TargetInformation = (PSecPkgContext_TargetInformation) Buffer;
if (TargetInformation == NULL)
{
DebugLog(( DEB_ERROR, "Null buffer SECPKG_ATTR_TARGET_INFORMATION.\n" ));
Status = STATUS_INVALID_PARAMETER;
goto Cleanup;
}
TargetInformation->MarshalledTargetInfo = NULL;
if (pContext->pbMarshalledTargetInfo == NULL)
{
Status = STATUS_NOT_FOUND;
goto Cleanup;
}
Length = pContext->cbMarshalledTargetInfo;
DebugLog(( DEB_TRACE, "NtLmQueryContextAttributes: TargetInformation length is 0x%lx\n", Length));
TargetInformation->MarshalledTargetInfo = (PUCHAR) LsaKernelFunctions->AllocateHeap(
Length
);
if (TargetInformation->MarshalledTargetInfo != NULL)
{
RtlCopyMemory(
TargetInformation->MarshalledTargetInfo,
pContext->pbMarshalledTargetInfo,
Length
);
TargetInformation->MarshalledTargetInfoLength = Length;
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
break;
case SECPKG_ATTR_SESSION_KEY:
ContextSessionKeyInfo = (PSecPkgContext_SessionKey) Buffer;
ContextSessionKeyInfo->SessionKeyLength = MSV1_0_USER_SESSION_KEY_LENGTH;
ContextSessionKeyInfo->SessionKey =
(PUCHAR) LsaKernelFunctions->AllocateHeap(
ContextSessionKeyInfo->SessionKeyLength);
if (ContextSessionKeyInfo->SessionKey != NULL)
{
RtlCopyMemory(
ContextSessionKeyInfo->SessionKey,
pContext->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH);
}
else
{
Status = STATUS_INSUFFICIENT_RESOURCES;
}
break;
case SECPKG_ATTR_PASSWORD_EXPIRY:
PasswordExpires = (PSecPkgContext_PasswordExpiry) Buffer;
if(pContext->PasswordExpiry.QuadPart != 0) {
PasswordExpires->tsPasswordExpires = pContext->PasswordExpiry;
} else {
Status = SEC_E_UNSUPPORTED_FUNCTION;
}
break;
case SECPKG_ATTR_USER_FLAGS:
UserFlags = (PSecPkgContext_UserFlags) Buffer;
UserFlags->UserFlags = pContext->UserFlags;
break;
case SECPKG_ATTR_FLAGS:
{
BOOLEAN Client = (pContext->ClientTokenHandle == 0);
ULONG Flags = 0;
ContextFlags = (PSecPkgContext_Flags) Buffer;
ContextFlags->Flags = 0;
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SEAL) {
if( Client )
{
Flags |= ISC_RET_CONFIDENTIALITY;
} else {
Flags |= ASC_RET_CONFIDENTIALITY;
}
}
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_SIGN) {
if( Client )
{
Flags |= ISC_RET_SEQUENCE_DETECT | ISC_RET_REPLAY_DETECT | ISC_RET_INTEGRITY;
} else {
Flags |= ASC_RET_SEQUENCE_DETECT | ASC_RET_REPLAY_DETECT | ASC_RET_INTEGRITY;
}
}
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_NULL_SESSION) {
if( Client )
{
Flags |= ISC_RET_NULL_SESSION;
} else {
Flags |= ASC_RET_NULL_SESSION;
}
}
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_DATAGRAM) {
if( Client )
{
Flags |= ISC_RET_DATAGRAM;
} else {
Flags |= ASC_RET_DATAGRAM;
}
}
if (pContext->NegotiateFlags & NTLMSSP_NEGOTIATE_IDENTIFY) {
if( Client )
{
Flags |= ISC_RET_IDENTIFY;
} else {
Flags |= ASC_RET_IDENTIFY;
}
}
ContextFlags->Flags |= Flags;
break;
}
case SECPKG_ATTR_PACKAGE_INFO:
case SECPKG_ATTR_NEGOTIATION_INFO:
//
// Return the information about this package. This is useful for
// callers who used SPNEGO and don't know what package they got.
//
PackageInfo = (PSecPkgContext_PackageInfo) Buffer;
PackageInfo->PackageInfo = (PSecPkgInfoW) LsaKernelFunctions->AllocateHeap(
sizeof(SecPkgInfoW) +
sizeof(NTLMSP_NAME) +
sizeof(NTLMSP_COMMENT)
);
if (PackageInfo->PackageInfo == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
PackageInfo->PackageInfo->Name = (LPWSTR) (PackageInfo->PackageInfo + 1);
PackageInfo->PackageInfo->Comment = (LPWSTR) ((((PCHAR) PackageInfo->PackageInfo->Name)) + sizeof(NTLMSP_NAME));
wcscpy(
PackageInfo->PackageInfo->Name,
NTLMSP_NAME
);
wcscpy(
PackageInfo->PackageInfo->Comment,
NTLMSP_COMMENT
);
PackageInfo->PackageInfo->wVersion = SECURITY_SUPPORT_PROVIDER_INTERFACE_VERSION;
PackageInfo->PackageInfo->wRPCID = NTLMSP_RPCID;
PackageInfo->PackageInfo->fCapabilities = NTLMSP_CAPS;
PackageInfo->PackageInfo->cbMaxToken = NTLMSP_MAX_TOKEN_SIZE;
if ( Attribute == SECPKG_ATTR_NEGOTIATION_INFO )
{
PSecPkgContext_NegotiationInfo NegInfo ;
NegInfo = (PSecPkgContext_NegotiationInfo) PackageInfo ;
if( pContext ) {
NegInfo->NegotiationState = SECPKG_NEGOTIATION_COMPLETE ;
} else {
NegInfo->NegotiationState = 0;
}
}
break;
case SECPKG_ATTR_LIFESPAN:
default:
Status = STATUS_NOT_SUPPORTED;
break;
}
Cleanup:
if (!NT_SUCCESS(Status)) {
switch ( Attribute) {
case SECPKG_ATTR_NAMES:
if (ContextNames && ContextNames->sUserName)
{
LsaKernelFunctions->FreeHeap(ContextNames->sUserName);
ContextNames->sUserName = NULL;
}
break;
case SECPKG_ATTR_DCE_INFO:
if (ContextDceInfo && ContextDceInfo->pPac)
{
LsaKernelFunctions->FreeHeap(ContextDceInfo->pPac);
ContextDceInfo->pPac = NULL;
}
break;
case SECPKG_ATTR_SESSION_KEY:
if(ContextSessionKeyInfo && ContextSessionKeyInfo->SessionKey)
{
LsaKernelFunctions->FreeHeap(ContextSessionKeyInfo->SessionKey);
ContextSessionKeyInfo->SessionKey = NULL;
}
break;
case SECPKG_ATTR_NEGOTIATION_INFO:
if(PackageInfo && PackageInfo->PackageInfo)
{
LsaKernelFunctions->FreeHeap(PackageInfo->PackageInfo);
PackageInfo->PackageInfo = NULL;
}
break;
}
}
if( pContext ) {
NtlmDerefContext( pContext );
}
CleanUp_NoDeref:
DebugLog(( DEB_TRACE, "Leaving NtLmQueryContextAttributes 0x%lx\n", Status ));
return Status;
}
//+-------------------------------------------------------------------------
//
// Function: NtLmCompleteToken
//
// Synopsis: Completes a context
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS NTAPI
NtLmCompleteToken(
IN ULONG_PTR ContextHandle,
IN PSecBufferDesc InputBuffer
)
{
UNREFERENCED_PARAMETER (ContextHandle);
UNREFERENCED_PARAMETER (InputBuffer);
PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmCompleteToken\n" ));
DebugLog(( DEB_TRACE, "Leaving NtLmCompleteToken\n" ));
return(STATUS_NOT_SUPPORTED);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmMakePackedContext
//
// Synopsis: Maps a context to the caller's address space
//
// Effects:
//
// Arguments: Context - The context to map
// MappedContext - Set to TRUE on success
// ContextData - Receives a buffer in the caller's address space
// with the mapped context.
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS
NtLmMakePackedContext(
IN PNTLM_KERNEL_CONTEXT Context,
OUT PBOOLEAN MappedContext,
OUT PSecBuffer ContextData,
IN ULONG Flags
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_PACKED_CONTEXT PackedContext = NULL;
ULONG ContextSize, ContextNameSize = 0;
PAGED_CODE();
if (Context->ContextNames)
{
ContextNameSize = (ULONG) wcslen(Context->ContextNames);
}
ContextSize = sizeof(NTLM_PACKED_CONTEXT) +
ContextNameSize * sizeof(WCHAR);
PackedContext = (PNTLM_PACKED_CONTEXT) NtLmAllocate(ContextSize);
if (PackedContext == NULL)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
RtlZeroMemory( PackedContext, ContextSize );
#if 0
// Copy all fields of the old context
RtlCopyMemory(
PackedContext,
Context,
sizeof(NTLM_KERNEL_CONTEXT)
);
if (ContextNameSize > 0)
{
PackedContext->ContextNames = (LPWSTR) sizeof(NTLM_PACKED_CONTEXT);
RtlCopyMemory(
PackedContext+1,
Context->ContextNames,
ContextNameSize * sizeof(WCHAR));
}
else
{
PackedContext->ContextNames=NULL;
}
// Replace some fields
//
// Token will be returned by the caller of this routine
//
PackedContext->ClientTokenHandle = NULL;
PackedContext->NegotiateFlags |= NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT;
if ((Flags & SECPKG_CONTEXT_EXPORT_RESET_NEW) != 0)
{
PackedContext->SendNonce = (ULONG) -1;
PackedContext->RecvNonce = (ULONG) -1;
}
RtlZeroMemory(
&PackedContext->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH
);
#endif
PackedContext->Tag = NTLM_PACKED_CONTEXT_MAP ;
PackedContext->NegotiateFlags = Context->NegotiateFlags ;
PackedContext->SendNonce = Context->SendNonce ;
PackedContext->RecvNonce = Context->RecvNonce ;
RtlCopyMemory(
PackedContext->SessionKey,
Context->SessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH );
PackedContext->ContextSignature = Context->ContextSignature ;
PackedContext->PasswordExpiry = Context->PasswordExpiry ;
PackedContext->UserFlags = Context->UserFlags ;
if ( ContextNameSize )
{
PackedContext->ContextNames = sizeof( NTLM_PACKED_CONTEXT );
PackedContext->ContextNameLength = (ContextNameSize + 1) * sizeof( WCHAR ) ;
RtlCopyMemory(
(PackedContext + 1),
Context->ContextNames,
PackedContext->ContextNameLength );
}
else
{
PackedContext->ContextNames = 0 ;
}
RtlCopyMemory(
PackedContext->SignSessionKey,
Context->SignSessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH );
RtlCopyMemory(
PackedContext->VerifySessionKey,
Context->VerifySessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH );
RtlCopyMemory(
PackedContext->SealSessionKey,
Context->SealSessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH );
RtlCopyMemory(
PackedContext->UnsealSessionKey,
Context->SealSessionKey,
MSV1_0_USER_SESSION_KEY_LENGTH );
RtlCopyMemory(
&PackedContext->SealRc4Sched,
&Context->SealRc4Sched,
sizeof( struct RC4_KEYSTRUCT ) );
RtlCopyMemory(
&PackedContext->UnsealRc4Sched,
&Context->UnsealRc4Sched,
sizeof( struct RC4_KEYSTRUCT ) );
// Replace some fields
//
// Token will be returned by the caller of this routine
//
PackedContext->ClientTokenHandle = 0 ;
// Save the fact that it's exported
PackedContext->NegotiateFlags |= NTLMSSP_NEGOTIATE_EXPORTED_CONTEXT;
if ((Flags & SECPKG_CONTEXT_EXPORT_RESET_NEW) != 0)
{
PackedContext->SendNonce = (ULONG) -1;
PackedContext->RecvNonce = (ULONG) -1;
}
ContextData->pvBuffer = PackedContext;
ContextData->cbBuffer = ContextSize;
*MappedContext = TRUE;
Cleanup:
if (!NT_SUCCESS(Status))
{
if (PackedContext != NULL)
{
NtLmFree(PackedContext);
}
}
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function:
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS
NtLmExportSecurityContext(
IN ULONG_PTR ContextHandle,
IN ULONG Flags,
OUT PSecBuffer PackedContext,
IN OUT PHANDLE TokenHandle
)
{
PNTLM_KERNEL_CONTEXT Context = NULL;
NTSTATUS Status = STATUS_SUCCESS;
BOOLEAN MappedContext = FALSE;
PAGED_CODE();
DebugLog(( DEB_TRACE, "Entering NtLmExportSecurityContext\n" ));
if (ARGUMENT_PRESENT(TokenHandle))
{
*TokenHandle = NULL;
}
PackedContext->pvBuffer = NULL;
PackedContext->cbBuffer = 0;
PackedContext->BufferType = 0;
Status = NtlmReferenceContext( ContextHandle, FALSE );
if ( NT_SUCCESS( Status ) )
{
Context = (PNTLM_KERNEL_CONTEXT) ContextHandle ;
}
else
{
goto Cleanup_NoDeref ;
}
Status = NtLmMakePackedContext(
Context,
&MappedContext,
PackedContext,
Flags
);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
ASSERT(MappedContext);
//
// Now either duplicate the token or copy it.
//
if (ARGUMENT_PRESENT(TokenHandle))
{
if ((Flags & SECPKG_CONTEXT_EXPORT_DELETE_OLD) != 0)
{
*TokenHandle = Context->ClientTokenHandle;
Context->ClientTokenHandle = NULL;
}
else
{
Status = NtDuplicateObject(
NtCurrentProcess(),
Context->ClientTokenHandle,
NULL,
TokenHandle,
0, // no new access
0, // no handle attributes
DUPLICATE_SAME_ACCESS
);
}
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
}
Cleanup:
NtlmDerefContext( Context );
Cleanup_NoDeref:
return (Status);
}
//+-------------------------------------------------------------------------
//
// Function: NtLmCreateKernelModeContext
//
// Synopsis: Creates a kernel-mode context to support impersonation and
// message integrity and privacy
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS
NtLmCreateKernelModeContext(
IN ULONG_PTR ContextHandle,
IN OPTIONAL HANDLE TokenHandle,
IN PSecBuffer MarshalledContext,
OUT PNTLM_KERNEL_CONTEXT * NewContext
)
{
NTSTATUS Status = STATUS_SUCCESS;
PNTLM_KERNEL_CONTEXT Context = NULL;
PNTLM_PACKED_CONTEXT PackedContext;
unsigned int Length = 0;
PAGED_CODE();
if (MarshalledContext->cbBuffer < sizeof(NTLM_PACKED_CONTEXT))
{
DebugLog((DEB_ERROR,"NtLmCreateKernelModeContext: Invalid buffer size for marshalled context: was 0x%x, needed 0x%x\n",
MarshalledContext->cbBuffer, sizeof(NTLM_PACKED_CONTEXT)));
return(STATUS_INVALID_PARAMETER);
}
PackedContext = (PNTLM_PACKED_CONTEXT) MarshalledContext->pvBuffer;
Context = (PNTLM_KERNEL_CONTEXT) NtLmAllocate( sizeof(NTLM_KERNEL_CONTEXT));
if (!Context)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
DebugLog((DEB_ERROR,"NtLmCreateKernelModeContext: Allocation error for Context\n"));
goto Cleanup;
}
RtlZeroMemory(
Context,
sizeof(NTLM_KERNEL_CONTEXT));
// Copy contenets of PackedContext->pvBuffer to Context
//// *Context = *PackedContext;
Context->NegotiateFlags = PackedContext->NegotiateFlags;
//// Context->ClientTokenHandle = (HANDLE)PackedContext->ClientTokenHandle;
Context->ContextSignature = PackedContext->ContextSignature;
RtlCopyMemory( Context->SessionKey, PackedContext->SessionKey, sizeof(PackedContext->SessionKey) );
RtlCopyMemory( Context->SignSessionKey, PackedContext->SignSessionKey, sizeof(PackedContext->SignSessionKey) );
RtlCopyMemory( Context->VerifySessionKey, PackedContext->VerifySessionKey, sizeof(PackedContext->VerifySessionKey) );
RtlCopyMemory( Context->SealSessionKey, PackedContext->SealSessionKey, sizeof(PackedContext->SealSessionKey) );
RtlCopyMemory( Context->UnsealSessionKey, PackedContext->UnsealSessionKey, sizeof(PackedContext->UnsealSessionKey) );
RtlCopyMemory( &Context->SealRc4Sched, &PackedContext->SealRc4Sched, sizeof(PackedContext->SealRc4Sched) );
RtlCopyMemory( &Context->UnsealRc4Sched, &PackedContext->UnsealRc4Sched, sizeof(PackedContext->UnsealRc4Sched) );
KsecInitializeListEntry( &Context->List, NTLM_CONTEXT_SIGNATURE );
// These need to be changed
Context->ClientTokenHandle = TokenHandle;
if (Context->SendNonce == (ULONG) -1)
{
// The context was exported with the reset flag
Context->SendNonce = 0;
}
if (Context->RecvNonce == (ULONG) -1)
{
// The context was exported with the reset flag
Context->RecvNonce = 0;
}
if( Context->NegotiateFlags & NTLMSSP_NEGOTIATE_NTLM2 ) {
Context->pSealRc4Sched = &Context->SealRc4Sched;
Context->pUnsealRc4Sched = &Context->UnsealRc4Sched;
Context->pSendNonce = &Context->SendNonce;
Context->pRecvNonce = &Context->RecvNonce;
} else {
Context->pSealRc4Sched = &Context->SealRc4Sched;
Context->pUnsealRc4Sched = &Context->SealRc4Sched;
Context->pSendNonce = &Context->SendNonce;
Context->pRecvNonce = &Context->SendNonce;
}
Context->ContextNames = NULL;
Length = (MarshalledContext->cbBuffer - sizeof(NTLM_PACKED_CONTEXT));
if (Length > 0)
{
Context->ContextNames = (LPWSTR) NtLmAllocate(Length + sizeof(WCHAR));
if (!Context->ContextNames)
{
Status = STATUS_INSUFFICIENT_RESOURCES;
goto Cleanup;
}
RtlCopyMemory(Context->ContextNames, PackedContext + 1, Length);
// null terminate the string
*(Context->ContextNames + (Length/2)) = UNICODE_NULL;
}
Context->PasswordExpiry = PackedContext->PasswordExpiry;
Context->UserFlags = PackedContext->UserFlags;
KSecInsertListEntry(
NtlmActiveList,
&Context->List );
*NewContext = Context;
Cleanup:
if (!NT_SUCCESS(Status))
{
if (Context != NULL)
{
NtlmFreeKernelContext(Context);
}
}
DebugLog(( DEB_TRACE, "Leaving NtLmCreateKernelContext 0x%lx\n", Status ));
return(Status);
}
//+-------------------------------------------------------------------------
//
// Function:
//
// Synopsis:
//
// Effects:
//
// Arguments:
//
// Requires:
//
// Returns:
//
// Notes:
//
//
//--------------------------------------------------------------------------
NTSTATUS
NtLmImportSecurityContext(
IN PSecBuffer PackedContext,
IN OPTIONAL HANDLE TokenHandle,
OUT PULONG_PTR ContextHandle
)
{
NTSTATUS Status;
PNTLM_KERNEL_CONTEXT Context = NULL;
PAGED_CODE();
DebugLog((DEB_TRACE,"Entering NtLmImportSecurityContext\n"));
Status = NtLmCreateKernelModeContext(
0, // LsaContextHandle not present
TokenHandle,
PackedContext,
&Context
);
if (!NT_SUCCESS(Status))
{
DebugLog((DEB_ERROR,"NtLmImportSecurityContext: Failed to create kernel mode context: 0x%x\n",
Status));
goto Cleanup;
}
*ContextHandle = (ULONG_PTR) Context;
Cleanup:
if (Context != NULL)
{
NtlmDerefContext( Context );
}
return(Status);
}
//+---------------------------------------------------------------------------
//
// Function: NtlmSetPagingMode
//
// Synopsis: Switch the paging mode for cluster support
//
// Arguments: [Pagable] --
//
// History: 7-07-98 RichardW Created
//
// Notes:
//
//----------------------------------------------------------------------------
NTSTATUS
NtlmSetPagingMode(
BOOLEAN Pagable
)
{
if ( Pagable )
{
NtlmPoolType = PagedPool ;
NtlmActiveList = NtlmPagedList ;
}
else
{
if ( NtlmNonPagedList == NULL )
{
NtlmNonPagedList = LsaKernelFunctions->CreateContextList( KSecNonPaged );
if ( NtlmNonPagedList == NULL )
{
return STATUS_NO_MEMORY ;
}
}
NtlmActiveList = NtlmNonPagedList ;
NtlmPoolType = NonPagedPool ;
}
return STATUS_SUCCESS ;
}
Reference in New Issue View Git Blame Copy Permalink