Author: hbelusca Date: Tue Sep 20 23:43:16 2016 New Revision: 72751
URL: http://svn.reactos.org/svn/reactos?rev=72751&view=rev Log: [SECUR32][NTOS]: Update the LSA export signatures for the functions that are implemented in the "lsalib" library.
[LSALIB] - Add old-school annotations (as we currently do in our main .c code of our stuff). - Mention that LsaConnectUntrusted is not an API that is exported (& implemented) by ntoskrnl. - For LsaRegisterLogonProcess, we first wait for the LSA server to be ready (by waiting on its initialization event). This is TODO for LsaConnectUntrusted on the contrary.
[LSALIB][NTOS] Usa the lsalib as the implementation of the LSA functions exported by ntoskrnl. But for that we need to recompile the lsalib as a library that can be used from inside ntoskrnl, because it needs some functions that are normally exported by ntos. For this purpose I add the library target "ntlsalib" (which also specify different #defines), to differentiate it from the (user-mode) "lsalib" one that is used by secur32.dll (Amine, if you have a better idea on how to do that, please let me know!).
Modified: trunk/reactos/dll/win32/secur32/secur32.spec trunk/reactos/ntoskrnl/CMakeLists.txt trunk/reactos/ntoskrnl/ntkrnlmp/CMakeLists.txt trunk/reactos/ntoskrnl/ntoskrnl.spec trunk/reactos/ntoskrnl/se/lsa.c trunk/reactos/sdk/lib/lsalib/CMakeLists.txt trunk/reactos/sdk/lib/lsalib/lsa.c
Modified: trunk/reactos/dll/win32/secur32/secur32.spec URL: http://svn.reactos.org/svn/reactos/trunk/reactos/dll/win32/secur32/secur32.s... ============================================================================== --- trunk/reactos/dll/win32/secur32/secur32.spec [iso-8859-1] (original) +++ trunk/reactos/dll/win32/secur32/secur32.spec [iso-8859-1] Tue Sep 20 23:43:16 2016 @@ -32,13 +32,13 @@ @ stdcall InitializeSecurityContextA(ptr ptr str long long long ptr long ptr ptr ptr ptr) @ stdcall InitializeSecurityContextW(ptr ptr wstr long long long ptr long ptr ptr ptr ptr) @ stdcall LsaCallAuthenticationPackage(long long ptr long ptr ptr ptr) -@ stdcall LsaConnectUntrusted(long) +@ stdcall LsaConnectUntrusted(ptr) @ stdcall LsaDeregisterLogonProcess(long) @ stdcall LsaEnumerateLogonSessions(ptr ptr) @ stdcall LsaFreeReturnBuffer(ptr) @ stdcall LsaGetLogonSessionData(ptr ptr) -@ stdcall LsaLogonUser(ptr ptr long long ptr long ptr ptr ptr ptr ptr ptr ptr ptr) -@ stdcall LsaLookupAuthenticationPackage(ptr ptr ptr) +@ stdcall LsaLogonUser(long ptr long long ptr long ptr ptr ptr ptr ptr ptr ptr ptr) +@ stdcall LsaLookupAuthenticationPackage(long ptr ptr) @ stdcall LsaRegisterLogonProcess(ptr ptr ptr) @ stdcall LsaRegisterPolicyChangeNotification(long ptr) @ stdcall LsaUnregisterPolicyChangeNotification(long ptr)
Modified: trunk/reactos/ntoskrnl/CMakeLists.txt URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/CMakeLists.txt?rev... ============================================================================== --- trunk/reactos/ntoskrnl/CMakeLists.txt [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/CMakeLists.txt [iso-8859-1] Tue Sep 20 23:43:16 2016 @@ -37,7 +37,7 @@ endif() endif()
-target_link_libraries(ntoskrnl cportlib csq ${PSEH_LIB} cmlib rtl ${ROSSYM_LIB} libcntpr wdmguid ioevent) +target_link_libraries(ntoskrnl cportlib csq ${PSEH_LIB} cmlib ntlsalib rtl ${ROSSYM_LIB} libcntpr wdmguid ioevent)
if(STACK_PROTECTOR) target_link_libraries(ntoskrnl gcc_ssp)
Modified: trunk/reactos/ntoskrnl/ntkrnlmp/CMakeLists.txt URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ntkrnlmp/CMakeList... ============================================================================== --- trunk/reactos/ntoskrnl/ntkrnlmp/CMakeLists.txt [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ntkrnlmp/CMakeLists.txt [iso-8859-1] Tue Sep 20 23:43:16 2016 @@ -39,7 +39,7 @@ target_link_libraries(ntkrnlmp runtmchk) endif()
-target_link_libraries(ntkrnlmp cportlib csq ${PSEH_LIB} cmlib rtl ${ROSSYM_LIB} libcntpr wdmguid ioevent) +target_link_libraries(ntkrnlmp cportlib csq ${PSEH_LIB} cmlib ntlsalib rtl ${ROSSYM_LIB} libcntpr wdmguid ioevent) add_importlibs(ntkrnlmp hal kdcom bootvid) add_pch(ntkrnlmp ${REACTOS_SOURCE_DIR}/ntoskrnl/include/ntoskrnl.h NTKRNLMP_SOURCE) add_dependencies(ntkrnlmp psdk bugcodes asm)
Modified: trunk/reactos/ntoskrnl/ntoskrnl.spec URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/ntoskrnl.spec?rev=... ============================================================================== --- trunk/reactos/ntoskrnl/ntoskrnl.spec [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/ntoskrnl.spec [iso-8859-1] Tue Sep 20 23:43:16 2016 @@ -742,11 +742,11 @@ @ extern LpcPortObjectType @ stdcall LpcRequestPort(ptr ptr) @ stdcall LpcRequestWaitReplyPort(ptr ptr ptr) -@ stdcall LsaCallAuthenticationPackage(long long long long long long long) -@ stdcall LsaDeregisterLogonProcess(long long) +@ stdcall LsaCallAuthenticationPackage(long long ptr long ptr ptr ptr) +@ stdcall LsaDeregisterLogonProcess(long) @ stdcall LsaFreeReturnBuffer(ptr) -@ stdcall LsaLogonUser(ptr ptr long long ptr long ptr ptr ptr ptr ptr ptr ptr ptr) -@ stdcall LsaLookupAuthenticationPackage(long long long) +@ stdcall LsaLogonUser(long ptr long long ptr long ptr ptr ptr ptr ptr ptr ptr ptr) +@ stdcall LsaLookupAuthenticationPackage(long ptr ptr) @ stdcall LsaRegisterLogonProcess(ptr ptr ptr) @ extern Mm64BitPhysicalAddress @ stdcall MmAddPhysicalMemory(ptr ptr)
Modified: trunk/reactos/ntoskrnl/se/lsa.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/ntoskrnl/se/lsa.c?rev=72751... ============================================================================== --- trunk/reactos/ntoskrnl/se/lsa.c [iso-8859-1] (original) +++ trunk/reactos/ntoskrnl/se/lsa.c [iso-8859-1] Tue Sep 20 23:43:16 2016 @@ -16,92 +16,15 @@ /* FUNCTIONS ******************************************************************/
/* - * @unimplemented + * NOTE: The following LSA functions: + * LsaCallAuthenticationPackage + * LsaFreeReturnBuffer + * LsaLogonUser + * LsaLookupAuthenticationPackage + * LsaRegisterLogonProcess + * LsaDeregisterLogonProcess + * are already implemented in the 'lsalib' library (sdk/lib/lsalib/lsa.c). */ -NTSTATUS -NTAPI -LsaCallAuthenticationPackage(ULONG Unknown0, - ULONG Unknown1, - ULONG Unknown2, - ULONG Unknown3, - ULONG Unknown4, - ULONG Unknown5, - ULONG Unknown6) -{ - return STATUS_NOT_IMPLEMENTED; -} - -/* - * @unimplemented - */ -NTSTATUS -NTAPI -LsaDeregisterLogonProcess(ULONG Unknown0, - ULONG Unknown1) -{ - return STATUS_NOT_IMPLEMENTED; -} - -/* - * @implemented - */ -NTSTATUS -NTAPI -LsaFreeReturnBuffer(PVOID Buffer) -{ - SIZE_T Size = 0; - return ZwFreeVirtualMemory(NtCurrentProcess(), - &Buffer, - &Size, - MEM_RELEASE); -} - -/* - * @unimplemented - */ -NTSTATUS -NTAPI -LsaLogonUser(IN HANDLE LsaHandle, - IN PLSA_STRING OriginName, - IN SECURITY_LOGON_TYPE LogonType, - IN ULONG AuthenticationPackage, - IN PVOID AuthenticationInformation, - IN ULONG AuthenticationInformationLength, - IN PTOKEN_GROUPS LocalGroups OPTIONAL, - IN PTOKEN_SOURCE SourceContext, - OUT PVOID *ProfileBuffer, - OUT PULONG ProfileBufferLength, - OUT PLUID LogonId, - OUT PHANDLE Token, - OUT PQUOTA_LIMITS Quotas, - OUT PNTSTATUS SubStatus) -{ - return STATUS_NOT_IMPLEMENTED; -} - -/* - * @unimplemented - */ -NTSTATUS -NTAPI -LsaLookupAuthenticationPackage(ULONG Unknown0, - ULONG Unknown1, - ULONG Unknown2) -{ - return STATUS_NOT_IMPLEMENTED; -} - -/* - * @unimplemented - */ -NTSTATUS -NTAPI -LsaRegisterLogonProcess(IN PLSA_STRING LogonProcessName, - OUT PHANDLE LsaHandle, - OUT PLSA_OPERATIONAL_MODE SecurityMode) -{ - return STATUS_NOT_IMPLEMENTED; -}
/* * @unimplemented
Modified: trunk/reactos/sdk/lib/lsalib/CMakeLists.txt URL: http://svn.reactos.org/svn/reactos/trunk/reactos/sdk/lib/lsalib/CMakeLists.t... ============================================================================== --- trunk/reactos/sdk/lib/lsalib/CMakeLists.txt [iso-8859-1] (original) +++ trunk/reactos/sdk/lib/lsalib/CMakeLists.txt [iso-8859-1] Tue Sep 20 23:43:16 2016 @@ -1,4 +1,9 @@
include_directories(${REACTOS_SOURCE_DIR}/sdk/include/reactos/subsys) + add_library(lsalib lsa.c) add_dependencies(lsalib xdk) + +add_library(ntlsalib lsa.c) +add_target_compile_definitions(ntlsalib _NTSYSTEM_) +add_dependencies(ntlsalib xdk)
Modified: trunk/reactos/sdk/lib/lsalib/lsa.c URL: http://svn.reactos.org/svn/reactos/trunk/reactos/sdk/lib/lsalib/lsa.c?rev=72... ============================================================================== --- trunk/reactos/sdk/lib/lsalib/lsa.c [iso-8859-1] (original) +++ trunk/reactos/sdk/lib/lsalib/lsa.c [iso-8859-1] Tue Sep 20 23:43:16 2016 @@ -9,12 +9,13 @@
/* INCLUDES ******************************************************************/
+#include <ndk/exfuncs.h> #include <ndk/lpctypes.h> #include <ndk/lpcfuncs.h> #include <ndk/mmfuncs.h> #include <ndk/rtlfuncs.h> #include <ndk/obfuncs.h> -#include <psdk/ntsecapi.h> +// #include <psdk/ntsecapi.h> #include <lsass/lsass.h>
#define NDEBUG @@ -22,67 +23,35 @@
/* GLOBALS *******************************************************************/
+// FIXME: Do we really need this?! +#if !defined(__NTOSKRNL__) && !defined(_NTOSKRNL_) && !defined(_NTSYSTEM_) extern HANDLE Secur32Heap; +#endif
/* FUNCTIONS *****************************************************************/
-/* - * @implemented - */ -NTSTATUS -WINAPI -LsaDeregisterLogonProcess(HANDLE LsaHandle) -{ - LSA_API_MSG ApiMessage; - NTSTATUS Status; - - DPRINT("LsaDeregisterLogonProcess()\n"); - - ApiMessage.ApiNumber = LSASS_REQUEST_DEREGISTER_LOGON_PROCESS; - ApiMessage.h.u1.s1.DataLength = LSA_PORT_DATA_SIZE(ApiMessage.DeregisterLogonProcess); - ApiMessage.h.u1.s1.TotalLength = LSA_PORT_MESSAGE_SIZE; - ApiMessage.h.u2.ZeroInit = 0; - - Status = ZwRequestWaitReplyPort(LsaHandle, - (PPORT_MESSAGE)&ApiMessage, - (PPORT_MESSAGE)&ApiMessage); - if (!NT_SUCCESS(Status)) - { - DPRINT1("ZwRequestWaitReplyPort() failed (Status 0x%08lx)\n", Status); - return Status; - } - - if (!NT_SUCCESS(ApiMessage.Status)) - { - DPRINT1("ZwRequestWaitReplyPort() failed (ApiMessage.Status 0x%08lx)\n", ApiMessage.Status); - return ApiMessage.Status; - } - - NtClose(LsaHandle); - - DPRINT("LsaDeregisterLogonProcess() done (Status 0x%08lx)\n", Status); - - return Status; -} - - -/* - * @implemented - */ -NTSTATUS -WINAPI -LsaConnectUntrusted(PHANDLE LsaHandle) -{ +/* This API is not defined and exported by NTOSKRNL */ +#if !defined(__NTOSKRNL__) && !defined(_NTOSKRNL_) && !defined(_NTSYSTEM_) +/* + * @implemented + */ +NTSTATUS +NTAPI +LsaConnectUntrusted(OUT PHANDLE LsaHandle) +{ + NTSTATUS Status; UNICODE_STRING PortName; // = RTL_CONSTANT_STRING(L"\LsaAuthenticationPort"); SECURITY_QUALITY_OF_SERVICE SecurityQos; LSA_CONNECTION_INFO ConnectInfo; ULONG ConnectInfoLength = sizeof(ConnectInfo); - NTSTATUS Status;
DPRINT("LsaConnectUntrusted(%p)\n", LsaHandle);
- RtlInitUnicodeString(&PortName, - L"\LsaAuthenticationPort"); + // TODO: Wait on L"\SECURITY\LSA_AUTHENTICATION_INITIALIZED" event + // for the LSA server to be ready, and because we are untrusted, + // we may need to impersonate ourselves before! + + RtlInitUnicodeString(&PortName, L"\LsaAuthenticationPort");
SecurityQos.Length = sizeof(SecurityQos); SecurityQos.ImpersonationLevel = SecurityIdentification; @@ -115,23 +84,23 @@
return ConnectInfo.Status; } - - -/* - * @implemented - */ -NTSTATUS -WINAPI -LsaCallAuthenticationPackage(HANDLE LsaHandle, - ULONG AuthenticationPackage, - PVOID ProtocolSubmitBuffer, - ULONG SubmitBufferLength, - PVOID *ProtocolReturnBuffer, - PULONG ReturnBufferLength, - PNTSTATUS ProtocolStatus) -{ +#endif + +/* + * @implemented + */ +NTSTATUS +NTAPI +LsaCallAuthenticationPackage(IN HANDLE LsaHandle, + IN ULONG AuthenticationPackage, + IN PVOID ProtocolSubmitBuffer, + IN ULONG SubmitBufferLength, + OUT PVOID *ProtocolReturnBuffer, + OUT PULONG ReturnBufferLength, + OUT PNTSTATUS ProtocolStatus) +{ + NTSTATUS Status; LSA_API_MSG ApiMessage; - NTSTATUS Status;
DPRINT1("LsaCallAuthenticationPackage()\n");
@@ -171,14 +140,13 @@ * @implemented */ NTSTATUS -WINAPI -LsaFreeReturnBuffer(PVOID Buffer) -{ - ULONG Length = 0; - +NTAPI +LsaFreeReturnBuffer(IN PVOID Buffer) +{ + SIZE_T Size = 0; return ZwFreeVirtualMemory(NtCurrentProcess(), &Buffer, - &Length, + &Size, MEM_RELEASE); }
@@ -187,13 +155,13 @@ * @implemented */ NTSTATUS -WINAPI -LsaLookupAuthenticationPackage(HANDLE LsaHandle, - PLSA_STRING PackageName, - PULONG AuthenticationPackage) -{ +NTAPI +LsaLookupAuthenticationPackage(IN HANDLE LsaHandle, + IN PLSA_STRING PackageName, + OUT PULONG AuthenticationPackage) +{ + NTSTATUS Status; LSA_API_MSG ApiMessage; - NTSTATUS Status;
/* Check the package name length */ if (PackageName->Length > LSASS_MAX_PACKAGE_NAME_LENGTH) @@ -210,7 +178,7 @@ strncpy(ApiMessage.LookupAuthenticationPackage.Request.PackageName, PackageName->Buffer, ApiMessage.LookupAuthenticationPackage.Request.PackageNameLength); - ApiMessage.LookupAuthenticationPackage.Request.PackageName[ApiMessage.LookupAuthenticationPackage.Request.PackageNameLength] = '\0'; + ApiMessage.LookupAuthenticationPackage.Request.PackageName[ApiMessage.LookupAuthenticationPackage.Request.PackageNameLength] = ANSI_NULL;
Status = ZwRequestWaitReplyPort(LsaHandle, (PPORT_MESSAGE)&ApiMessage, @@ -235,24 +203,24 @@ * @implemented */ NTSTATUS -WINAPI -LsaLogonUser(HANDLE LsaHandle, - PLSA_STRING OriginName, - SECURITY_LOGON_TYPE LogonType, - ULONG AuthenticationPackage, - PVOID AuthenticationInformation, - ULONG AuthenticationInformationLength, - PTOKEN_GROUPS LocalGroups, - PTOKEN_SOURCE SourceContext, - PVOID *ProfileBuffer, - PULONG ProfileBufferLength, - PLUID LogonId, - PHANDLE Token, - PQUOTA_LIMITS Quotas, - PNTSTATUS SubStatus) -{ +NTAPI +LsaLogonUser(IN HANDLE LsaHandle, + IN PLSA_STRING OriginName, + IN SECURITY_LOGON_TYPE LogonType, + IN ULONG AuthenticationPackage, + IN PVOID AuthenticationInformation, + IN ULONG AuthenticationInformationLength, + IN PTOKEN_GROUPS LocalGroups OPTIONAL, + IN PTOKEN_SOURCE SourceContext, + OUT PVOID *ProfileBuffer, + OUT PULONG ProfileBufferLength, + OUT PLUID LogonId, + OUT PHANDLE Token, + OUT PQUOTA_LIMITS Quotas, + OUT PNTSTATUS SubStatus) +{ + NTSTATUS Status; LSA_API_MSG ApiMessage; - NTSTATUS Status;
ApiMessage.ApiNumber = LSASS_REQUEST_LOGON_USER; ApiMessage.h.u1.s1.DataLength = LSA_PORT_DATA_SIZE(ApiMessage.LogonUser); @@ -300,25 +268,53 @@ * @implemented */ NTSTATUS -WINAPI -LsaRegisterLogonProcess(PLSA_STRING LsaLogonProcessName, - PHANDLE Handle, - PLSA_OPERATIONAL_MODE OperationalMode) -{ +NTAPI +LsaRegisterLogonProcess(IN PLSA_STRING LogonProcessName, + OUT PHANDLE LsaHandle, + OUT PLSA_OPERATIONAL_MODE OperationalMode) +{ + NTSTATUS Status; + HANDLE EventHandle; UNICODE_STRING PortName; // = RTL_CONSTANT_STRING(L"\LsaAuthenticationPort"); + OBJECT_ATTRIBUTES ObjectAttributes; SECURITY_QUALITY_OF_SERVICE SecurityQos; LSA_CONNECTION_INFO ConnectInfo; ULONG ConnectInfoLength = sizeof(ConnectInfo); - NTSTATUS Status;
DPRINT("LsaRegisterLogonProcess()\n");
/* Check the logon process name length */ - if (LsaLogonProcessName->Length > LSASS_MAX_LOGON_PROCESS_NAME_LENGTH) + if (LogonProcessName->Length > LSASS_MAX_LOGON_PROCESS_NAME_LENGTH) return STATUS_NAME_TOO_LONG;
- RtlInitUnicodeString(&PortName, - L"\LsaAuthenticationPort"); + /* + * First check whether the LSA server is ready: + * open the LSA event and wait on it. + */ + // Note that we just reuse the 'PortName' variable here. + RtlInitUnicodeString(&PortName, L"\SECURITY\LSA_AUTHENTICATION_INITIALIZED"); + InitializeObjectAttributes(&ObjectAttributes, + &PortName, + OBJ_CASE_INSENSITIVE, + NULL, + NULL); + Status = NtOpenEvent(&EventHandle, SYNCHRONIZE, &ObjectAttributes); + if (!NT_SUCCESS(Status)) + { + DPRINT1("NtOpenEvent failed (Status 0x%08lx)\n", Status); + return Status; + } + + Status = NtWaitForSingleObject(EventHandle, TRUE, NULL); + NtClose(EventHandle); + if (!NT_SUCCESS(Status)) + { + DPRINT1("NtWaitForSingleObject failed (Status 0x%08lx)\n", Status); + return Status; + } + + /* Now attempt the connection */ + RtlInitUnicodeString(&PortName, L"\LsaAuthenticationPort");
SecurityQos.Length = sizeof(SecurityQos); SecurityQos.ImpersonationLevel = SecurityIdentification; @@ -326,13 +322,13 @@ SecurityQos.EffectiveOnly = TRUE;
strncpy(ConnectInfo.LogonProcessNameBuffer, - LsaLogonProcessName->Buffer, - LsaLogonProcessName->Length); - ConnectInfo.Length = LsaLogonProcessName->Length; - ConnectInfo.LogonProcessNameBuffer[ConnectInfo.Length] = '\0'; + LogonProcessName->Buffer, + LogonProcessName->Length); + ConnectInfo.Length = LogonProcessName->Length; + ConnectInfo.LogonProcessNameBuffer[ConnectInfo.Length] = ANSI_NULL; ConnectInfo.CreateContext = TRUE;
- Status = ZwConnectPort(Handle, + Status = ZwConnectPort(LsaHandle, &PortName, &SecurityQos, NULL, @@ -357,3 +353,42 @@ return ConnectInfo.Status; }
+ +/* + * @implemented + */ +NTSTATUS +NTAPI +LsaDeregisterLogonProcess(IN HANDLE LsaHandle) +{ + NTSTATUS Status; + LSA_API_MSG ApiMessage; + + DPRINT("LsaDeregisterLogonProcess()\n"); + + ApiMessage.ApiNumber = LSASS_REQUEST_DEREGISTER_LOGON_PROCESS; + ApiMessage.h.u1.s1.DataLength = LSA_PORT_DATA_SIZE(ApiMessage.DeregisterLogonProcess); + ApiMessage.h.u1.s1.TotalLength = LSA_PORT_MESSAGE_SIZE; + ApiMessage.h.u2.ZeroInit = 0; + + Status = ZwRequestWaitReplyPort(LsaHandle, + (PPORT_MESSAGE)&ApiMessage, + (PPORT_MESSAGE)&ApiMessage); + if (!NT_SUCCESS(Status)) + { + DPRINT1("ZwRequestWaitReplyPort() failed (Status 0x%08lx)\n", Status); + return Status; + } + + if (!NT_SUCCESS(ApiMessage.Status)) + { + DPRINT1("ZwRequestWaitReplyPort() failed (ApiMessage.Status 0x%08lx)\n", ApiMessage.Status); + return ApiMessage.Status; + } + + NtClose(LsaHandle); + + DPRINT("LsaDeregisterLogonProcess() done (Status 0x%08lx)\n", Status); + + return Status; +}