This commit is contained in:
manojampalam 2016-05-12 19:17:41 -07:00
parent fedeacacf5
commit a9f460a5c8
2 changed files with 45 additions and 380 deletions

View File

@ -37,7 +37,6 @@
#include <Ntsecapi.h>
#endif
#include "LsaString.h"
#ifdef __VS_BUILD__
@ -89,8 +88,7 @@ fail:
LsaApi.FreeLsaHeap((*lsaStr));
}
DBG_MSG("ERROR. Cannot allocate LSA UNICODE_STRING...\n");
}
return ntStat;
@ -166,10 +164,6 @@ NTSTATUS FillUnicodeString(UNICODE_STRING *lsaStr, const Char *str)
fail:
if (ntStat)
{
DBG_MSG("ERROR. Cannot fill UNICODE_STRING...\n");
}
return ntStat;
}

View File

@ -35,12 +35,8 @@
#define UMDF_USING_NTSTATUS
#include <Windows.h>
#include <LsaLookup.h>
#include <Ntsecapi.h>
#endif
#include "Ssh-lsa.h"
#ifdef __cplusplus
@ -98,8 +94,7 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId,
PLSA_STRING confident,
PLSA_STRING *pkgName)
{
DBG_ENTRY("LsaApInitializePackage");
//
// Save table with adresses of LSA API functions.
//
@ -110,8 +105,7 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId,
// Allocate buffer for package name.
//
DBG_MSG("Allocating buffer for pkgName...\n");
*pkgName = (PLSA_STRING) LsaApi.AllocateLsaHeap(sizeof(LSA_STRING));
(*pkgName) -> Buffer = (PCHAR) LsaApi.AllocateLsaHeap(PKG_NAME_SIZE);
@ -120,29 +114,14 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId,
// Fill buffer with our name.
//
DBG_MSG("Setting up pkgName...\n");
memcpy((*pkgName) -> Buffer, PKG_NAME, PKG_NAME_SIZE);
(*pkgName) -> Length = PKG_NAME_SIZE - 1;
(*pkgName) -> MaximumLength = PKG_NAME_SIZE;
//
// Initialize OpenSSL lib.
//
DBG_MSG("Initializing OpenSSL...\n");
OPENSSL(SSL_library_init());
DBG_MSG("Initializing OpenSSL digest table...\n");
OPENSSL(OpenSSL_add_all_digests());
DBG_LEAVE("LsaApInitializePackage");
return STATUS_SUCCESS;
}
@ -175,8 +154,7 @@ fail:
if (exitCode)
{
DBG_MSG("ERROR. Cannot to copy SID.\n");
}
}
return exitCode;
}
@ -193,8 +171,7 @@ fail:
Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
{
DBG_ENTRY("LsaAllocTokenInfo");
Int exitCode = 1;
DWORD cbSize = 0;
@ -215,8 +192,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
// Allocate LSA_TOKEN_INFORMATION_V1 struct for output,
//
DBG_MSG("Allocating LSA_TOKEN_INFORMATION_V1 buffer...\n");
tokenInfo = (PLSA_TOKEN_INFORMATION_V1)
LsaApi.AllocateLsaHeap(sizeof(LSA_TOKEN_INFORMATION_V1));
@ -228,8 +204,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
// becouse SIDs must be allocated as separately memory blocks.
//
DBG_MSG("Copying TOKEN_USER...\n");
GetTokenInformation(token, TokenUser, NULL, 0, &cbSize);
pUserToken = (PTOKEN_USER) LocalAlloc(LPTR, cbSize);
@ -245,8 +220,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
// Copy TOKEN_GROUPS part from input token.
//
DBG_MSG("Copying TOKEN_GROUP...\n");
GetTokenInformation(token, TokenGroups, NULL, 0, &cbSize);
pGroupsToken = (PTOKEN_GROUPS) LocalAlloc(LPTR, cbSize);
@ -275,8 +249,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
// in this struct, so we can retrieve it directly to output buffer.
//
DBG_MSG("Retrieving TOKEN_PRIVILEGES directly...\n");
GetTokenInformation(token, TokenPrivileges, NULL, 0, &cbSize);
tokenInfo -> Privileges = (PTOKEN_PRIVILEGES) LsaApi.AllocateLsaHeap(cbSize);
@ -288,8 +261,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
// Copy TOKEN_OWNER part from input token.
//
DBG_MSG("Copying TOKEN_OWNER...\n");
GetTokenInformation(token, TokenOwner, NULL, 0, &cbSize);
pOwnerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, cbSize);
@ -303,8 +275,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
// Copy TOKEN_PRIMARY_GROUP part from input token.
//
DBG_MSG("Copying TOKEN_PRIMARY_GROUP...\n");
GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &cbSize);
pPrimaryGroupToken = (PTOKEN_PRIMARY_GROUP) LocalAlloc(LPTR, cbSize);
@ -319,8 +290,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token)
// Copy TOKEN_DEFAULT_DACL part from input token.
//
DBG_MSG("Retrieving TOKEN_DEFAULT_DACL...\n");
//GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &cbSize);
//pDaclToken = (PTOKEN_DEFAULT_DACL) LocalAlloc(LPTR, cbSize);
@ -352,153 +322,12 @@ fail:
if (exitCode)
{
DBG_MSG("ERROR. Cannot allocate token information.\n");
}
DBG_LEAVE("LsaAllocTokenInfo");
}
return exitCode;
}
//
// This function performs user authorization.
//
// homedir - user's home dir if authorized success (OUT)
// token - handle to user access token (IN)
// auth - SshLsaAuth struct with authorization data (IN)
//
// RETURNS: 0 if OK.
//
Int AuthorizeUser(wchar_t homeDir[MAX_PATH], HANDLE token, SshLsaAuth *auth)
{
DBG_ENTRY("AuthorizeUser");
Int exitCode = 1;
Int authorized = 0;
PROFILEINFOW profile = {sizeof(PROFILEINFOW)};
Key *key = NULL;
wchar_t keyFileName[MAX_PATH];
wchar_t *nextFile = NULL;
//Char homeDir[MAX_PATH];
DWORD homeDirSize = MAX_PATH;
//
// Compute adressess of SshLsaAuth fields.
//
BYTE *userPtr = (BYTE *) &(auth -> buf_);
BYTE *signPtr = (BYTE *) userPtr + auth -> userSize_;
BYTE *dataPtr = (BYTE *) signPtr + auth -> signSize_;
BYTE *blobPtr = (BYTE *) dataPtr + auth -> dataSize_;
BYTE *authPtr = (BYTE *) blobPtr + auth -> pkBlobSize_;
//
// Create Key struct from pkBlob.
//
DBG_MSG("Reproduce Key struct from blob...n");
FAIL(KeyFromBlob(key, blobPtr, auth -> pkBlobSize_));
FAIL(key == NULL);
//
// Retrieve user's home directory.
//
DBG_MSG("Retrieving user's homedir...");
profile.lpUserName = (wchar_t *) userPtr;
FAIL(LoadUserProfileW(token, &profile) == FALSE);
FAIL(GetUserProfileDirectoryW(token, homeDir, &homeDirSize) == FALSE);
//
// Try authorize using authkey files given by ssh.
//
nextFile = (wchar_t *) authPtr;
for (Unsigned Int i = 0; Not(authorized) && i < auth -> authFilesCount_; i++)
{
wchar_t *fileToCheck = nextFile;
DBG_MSG("Trying keys from [%ls]...\n", nextFile);
//
// Expand relative paths to user homedir like openssh do.
//
if (wcschr(nextFile, ':') == NULL)
{
DBG_MSG("Expanding relative path to user homedir.\n");
#ifndef __VS_BUILD__
snwprintf(keyFileName, sizeof(keyFileName),
L"%ls\\%ls", homeDir, nextFile);
#else
_snwprintf(keyFileName, sizeof(keyFileName),
L"%ls\\%ls", homeDir, nextFile);
#endif
fileToCheck = keyFileName;
}
//
// Try to find key in next 'authorized_key' file.
//
if(FindKeyInFile(fileToCheck, key) == 0)
{
//
// Verify given key.
//
DBG_MSG("Veryfing key...\n");
authorized = (VerifyKey(key, signPtr, auth -> signSize_,
dataPtr, auth -> dataSize_,
auth -> dataFellow_) == 0);
}
//
// Go to next file in list.
//
nextFile = wcschr(nextFile, 0) + sizeof(wchar_t);
}
FAIL(Not(authorized));
exitCode = 0;
fail:
if (exitCode)
{
DBG_MSG("ERROR. Auhtorization failed (%u).\n", GetLastError());
//
// If authorization error clear homedir.
//
ZeroMemory(homeDir, MAX_PATH);
}
UnloadUserProfile(token, profile.hProfile);
DBG_LEAVE("AuthorizeUser");
return exitCode;
}
//
// Called, when client logon process want logon user.
@ -527,8 +356,7 @@ NTSTATUS NTAPI
PLSA_UNICODE_STRING *accountName,
PLSA_UNICODE_STRING *authority)
{
DBG_ENTRY("LsaApLogonUser");
NTSTATUS ntStat = STATUS_LOGON_FAILURE;
Int exitCode = 1;
@ -538,8 +366,6 @@ NTSTATUS NTAPI
//
wchar_t *inUserName = NULL;
SshLsaAuth *auth = (SshLsaAuth *) authData;
//
// Buffers used for retrieving user auth data from SAM database.
@ -579,38 +405,20 @@ NTSTATUS NTAPI
// Check are input args ok?
//
DBG_MSG("Checking input args...\n");
inUserName = (wchar_t *) (((char*)authData)+4);
FAIL(auth == NULL);
FAIL(auth -> buf_ == NULL);
inUserName = (wchar_t *) auth -> buf_;
DBG_MSG("Checking SshLsaAuth size...\n");
FAIL(auth -> totalSize_ != authDataSize);
DBG_MSG("logonType = %u\n", logonType);
DBG_MSG("userName = [%ls]\n", inUserName);
//
// Get info about client process.
//
DBG_MSG("Retreving info about client process...\n");
NTFAIL(LsaApi.GetClientInfo(&clientInfo));
DBG_MSG("Client info:\n");
DBG_MSG(" LogonId : %d\n", clientInfo.LogonId);
DBG_MSG(" ProcessID : %d\n", clientInfo.ProcessID);
DBG_MSG(" ThreadID : %d\n", clientInfo.ThreadID);
DBG_MSG(" HasTcbPrivilege : %d\n", clientInfo.HasTcbPrivilege);
DBG_MSG(" Impersonating : %d\n", clientInfo.Impersonating);
DBG_MSG(" Restricted : %d\n", clientInfo.Restricted);
//
// Fail if client has not got SeTcbPrivilege.
//
@ -621,8 +429,7 @@ NTSTATUS NTAPI
// Allocate buffers.
//
DBG_MSG("Allocating string buffers...\n");
NTFAIL(LsaAllocUnicodeString(authority, MAX_ACCOUNT_NAME_SIZE));
NTFAIL(LsaAllocUnicodeString(accountName, MAX_ACCOUNT_NAME_SIZE));
NTFAIL(LsaAllocUnicodeString(&flatName, MAX_ACCOUNT_NAME_SIZE));
@ -631,8 +438,7 @@ NTSTATUS NTAPI
// Retrieve user data from SAM base.
//
DBG_MSG("GetAuthDataForUser()...\n");
lstrcpyW(samUserBuf, inUserName);
samUserBuf[MAX_ACCOUNT_NAME_SIZE] = 0x00;
@ -642,14 +448,12 @@ NTSTATUS NTAPI
NTFAIL(LsaApi.GetAuthDataForUser(&samUser, SecNameFlat, NULL,
&userAuth, &userAuthSize, flatName));
DBG_MSG("userAuthSize = %u\n", userAuthSize);
//
// Create token basing on SAM data.
//
DBG_MSG("ConvertAuthDataToToken()...\n");
memcpy (tokenSource.SourceName, "_sshlsa_", 8);
AllocateLocallyUniqueId(&tokenSource.SourceIdentifier);
@ -664,28 +468,17 @@ NTSTATUS NTAPI
// Print token info.
//
DBG_PRINT_TOKEN(token);
//
// Perform authorization and retrieve homeDir if success.
//
DBG_MSG("Performing authorization...\n");
FAIL(AuthorizeUser(homeDir, token, auth));
//
// Allocate client buffer and copy home dir to it.
//
DBG_MSG("Filling profile buffer...\n");
NTFAIL(LsaApi.AllocateClientBuffer(request, MAX_PATH * sizeof(wchar_t), profile));
*profileSize = MAX_PATH;
DBG_MSG("homeDir = %ls\n", homeDir);
NTFAIL(LsaApi.CopyToClientBuffer(request, MAX_PATH * sizeof(wchar_t),
*profile, homeDir));
@ -695,8 +488,7 @@ NTSTATUS NTAPI
// here.
//
DBG_MSG("Creating token infos for LSA output...\n");
PLSA_TOKEN_INFORMATION_V1 outTokenInfo;
FAIL(LsaAllocTokenInfo(outTokenInfo, token));
@ -709,24 +501,9 @@ NTSTATUS NTAPI
// Duplicate token from lsa space to client space.
//
DBG_MSG("Duplicating token into client space...\n");
NTFAIL(LsaApi.DuplicateHandle(token, &clientToken));
//
// Create new logon session.
//
/*
DBG_MSG("Creating new logon session...\n");
FAIL(AllocateLocallyUniqueId(logonId) == FALSE);
*subStat = LsaApi.CreateLogonSession(logonId);
FAIL(*subStat);
*/
ntStat = STATUS_SUCCESS;
exitCode = 0;
@ -735,9 +512,6 @@ fail:
if (exitCode)
{
DBG_MSG("ERROR. Cannot logon user "
"(err = %u, ntStat = %x, subNtStat = %x).\n",
GetLastError(), ntStat, *subStat);
ntStat = STATUS_LOGON_FAILURE;
@ -749,8 +523,7 @@ fail:
}
else
{
DBG_MSG("LsaApLogonUser : OK.\n");
}
}
//
// Cleanup temporary buffers.
@ -758,12 +531,10 @@ fail:
CloseHandle(token);
DBG_MSG("Freeing temp buffers...\n");
LsaFreeUnicodeString(flatName);
DBG_LEAVE("LsaApLogonUser");
return ntStat;
}
@ -775,8 +546,7 @@ fail:
VOID NTAPI LsaApLogonTerminated(PLUID logonId)
{
DBG_MSG("LsaApLogonTerminated(id = %d)...\n", *logonId);
}
}
//
@ -800,18 +570,13 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes)
// Initialize log.
//
DBG_INIT(NULL);
DBG_MSG("DllMain -> DLL_PROCESS_ATTACH\n");
DBG_MSG("[SSH-LSA-%s]\n", VERSION);
//
// Load 'ntdll.dll' module.
//
DBG_MSG("Loading 'ntdll.dll' module...\n");
NtDll = GetModuleHandle("ntdll.dll");
FAIL(NtDll == NULL);
@ -820,80 +585,12 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes)
// Load RtlInitUnicodeString() function from 'ntdll.dll'.
//
DBG_MSG("Retrieving 'RtlInitUnicodeString' address...\n");
RtlInitUnicodeString = (RtlInitUnicodeStringPtr)
GetProcAddress(NtDll, "RtlInitUnicodeString");
FAIL(RtlInitUnicodeString == NULL);
//
// This code is code for dynamic, 'on the fly' OpenSSL libs loading.
//
#ifdef DYNAMIC_OPENSSL
//
// Load 'libssl.dll' module.
//
DBG_MSG("Loading 'libssl.dll' module...\n");
LibSSL = LoadLibrary("libssl.dll");
FAIL(LibSSL == NULL);
//
// Load 'libcrypto.dll' module.
//
DBG_MSG("Loading 'libcrypto.dll' module...\n");
LibCrypto = LoadLibrary("libcrypto.dll");
FAIL(LibCrypto == NULL);
//
// Load 'libSSL.dll' functions.
//
DynSSL.SSL_library_init = (SSL_library_init_Ptr) GetProcAddress(LibSSL, "SSL_library_init");
//
// Load 'libcrypto.dll' functions.
//
DynSSL.EVP_sha1 = (EVP_sha1_Ptr) GetProcAddress(LibCrypto, "EVP_sha1");
DynSSL.EVP_DigestInit = (EVP_DigestInit_Ptr) GetProcAddress(LibCrypto, "EVP_DigestInit");
DynSSL.EVP_DigestFinal = (EVP_DigestFinal_Ptr) GetProcAddress(LibCrypto, "EVP_DigestFinal");
DynSSL.EVP_DigestUpdate = (EVP_DigestUpdate_Ptr) GetProcAddress(LibCrypto, "EVP_DigestUpdate");
DynSSL.EVP_Digest = (EVP_Digest_Ptr) GetProcAddress(LibCrypto, "EVP_Digest");
DynSSL.EVP_get_digestbyname = (EVP_get_digestbyname_Ptr) GetProcAddress(LibCrypto, "EVP_get_digestbyname");
DynSSL.DSA_SIG_free = (DSA_SIG_free_Ptr) GetProcAddress(LibCrypto, "DSA_SIG_free");
DynSSL.DSA_SIG_new = (DSA_SIG_new_Ptr) GetProcAddress(LibCrypto, "DSA_SIG_new");
DynSSL.DSA_do_verify = (DSA_do_verify_Ptr) GetProcAddress(LibCrypto, "DSA_do_verify");
DynSSL.DSA_new = (DSA_new_Ptr) GetProcAddress(LibCrypto, "DSA_new");
DynSSL.DSA_free = (DSA_free_Ptr) GetProcAddress(LibCrypto, "DSA_free");
DynSSL.RSA_size = (RSA_size_Ptr) GetProcAddress(LibCrypto, "RSA_size");
DynSSL.RSA_new = (RSA_new_Ptr) GetProcAddress(LibCrypto, "RSA_new");
DynSSL.RSA_free = (RSA_free_Ptr) GetProcAddress(LibCrypto, "RSA_free");
DynSSL.BN_new = (BN_new_Ptr) GetProcAddress(LibCrypto, "BN_new");
DynSSL.BN_bin2bn = (BN_bin2bn_Ptr) GetProcAddress(LibCrypto, "BN_bin2bn");
DynSSL.BN_num_bits = (BN_num_bits_Ptr) GetProcAddress(LibCrypto, "BN_num_bits");
DynSSL.BN_cmp = (BN_cmp_Ptr) GetProcAddress(LibCrypto, "BN_cmp");
DynSSL.RSA_public_decrypt = (RSA_public_decrypt_Ptr) GetProcAddress(LibCrypto, "RSA_public_decrypt");
DynSSL.OBJ_nid2sn = (OBJ_nid2sn_Ptr) GetProcAddress(LibCrypto, "OBJ_nid2sn");
DynSSL.OpenSSL_add_all_digests = (OpenSSL_add_all_digests_Ptr) GetProcAddress(LibCrypto, "OpenSSL_add_all_digests");
#endif
break;
}
@ -903,18 +600,8 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes)
case DLL_PROCESS_DETACH:
{
DBG_MSG("DllMain -> DLL_PROCESS_DETACH\n");
FreeModule(NtDll);
#ifdef DYNAMIC_OPENSSL
FreeModule(LibCrypto);
FreeModule(LibSSL);
#endif
}
}
@ -924,18 +611,8 @@ fail:
if (exitCode == FALSE)
{
DBG_MSG("ERROR. Cannot initialize DLL (%u).\n", GetLastError());
FreeModule(NtDll);
#ifdef DYNAMIC_OPENSSL
FreeModule(LibCrypto);
FreeModule(LibSSL);
#endif
}
return exitCode;
@ -953,9 +630,7 @@ NTSTATUS NTAPI LsaApCallPackagePassthrough(PLSA_CLIENT_REQUEST request,
PULONG outBufSize,
PNTSTATUS status)
{
DBG_ENTRY("LsaApCallPackagePassthrough(");
DBG_LEAVE("LsaApCallPackagePassthrough(");
return STATUS_NOT_IMPLEMENTED;
}
@ -971,9 +646,7 @@ NTSTATUS NTAPI LsaApCallPackageUntrusted(PLSA_CLIENT_REQUEST request,
PULONG outBufSize,
PNTSTATUS status)
{
DBG_ENTRY("LsaApCallPackageUntrusted");
DBG_LEAVE("LsaApCallPackageUntrusted");
return STATUS_NOT_IMPLEMENTED;
}
@ -986,9 +659,7 @@ NTSTATUS NTAPI LsaApCallPackage(PLSA_CLIENT_REQUEST request, PVOID submitBuf,
PVOID *outBuf, PULONG outBufSize,
PNTSTATUS status)
{
DBG_ENTRY("LsaApCallPackage");
DBG_LEAVE("LsaApCallPackage");
return STATUS_NOT_IMPLEMENTED;
}