VBoxCredProvCredential.cpp@ 52002

Last change on this file since 52002 was 49722, checked in by vboxsync, 11 years ago
VBoxCredProv: Fixed auto-logon breakage introduced in r85893, added some more (verbose) logging.
Property svn:eol-style set to `native` Property svn:keywords set to `Author Date Id Revision`
File size: 34.8 KB

Line
1	/* $Id: VBoxCredProvCredential.cpp 49722 2013-11-29 11:23:41Z vboxsync $ */
2	/** @file
3	* VBoxCredProvCredential - Class for keeping and handling the passed credentials.
4	*/
5
6	/*
7	* Copyright (C) 2012 Oracle Corporation
8	*
9	* This file is part of VirtualBox Open Source Edition (OSE), as
10	* available from http://www.virtualbox.org. This file is free software;
11	* you can redistribute it and/or modify it under the terms of the GNU
12	* General Public License (GPL) as published by the Free Software
13	* Foundation, in version 2 as it comes in the "COPYING" file of the
14	* VirtualBox OSE distribution. VirtualBox OSE is distributed in the
15	* hope that it will be useful, but WITHOUT ANY WARRANTY of any kind.
16	*/
17
18	/*******************************************************************************
19	* Header Files *
20	*******************************************************************************/
21	#ifndef WIN32_NO_STATUS
22	# include <ntstatus.h>
23	# define WIN32_NO_STATUS
24	#endif
25	#include <intsafe.h>
26
27	#include "VBoxCredentialProvider.h"
28
29	#include "VBoxCredProvProvider.h"
30	#include "VBoxCredProvCredential.h"
31	#include "VBoxCredProvUtils.h"
32
33	#include <lm.h>
34
35	#include <iprt/initterm.h>
36	#include <iprt/mem.h>
37	#include <iprt/string.h>
38
39
40
41
42	VBoxCredProvCredential::VBoxCredProvCredential(void) :
43	m_enmUsageScenario(CPUS_INVALID),
44	m_cRefs(1),
45	m_pEvents(NULL),
46	m_fHaveCreds(false)
47	{
48	VBoxCredProvVerbose(0, "VBoxCredProvCredential: Created\n");
49	VBoxCredentialProviderAcquire();
50	RT_BZERO(m_apwszCredentials, sizeof(PRTUTF16) * VBOXCREDPROV_NUM_FIELDS);
51	}
52
53
54	VBoxCredProvCredential::~VBoxCredProvCredential(void)
55	{
56	VBoxCredProvVerbose(0, "VBoxCredProvCredential: Destroying\n");
57	Reset();
58	VBoxCredentialProviderRelease();
59	}
60
61
62	ULONG
63	VBoxCredProvCredential::AddRef(void)
64	{
65	LONG cRefs = InterlockedIncrement(&m_cRefs);
66	VBoxCredProvVerbose(0, "VBoxCredProvCredential::AddRef: Returning refcount=%ld\n",
67	cRefs);
68	return cRefs;
69	}
70
71
72	ULONG
73	VBoxCredProvCredential::Release(void)
74	{
75	LONG cRefs = InterlockedDecrement(&m_cRefs);
76	VBoxCredProvVerbose(0, "VBoxCredProvCredential::Release: Returning refcount=%ld\n",
77	cRefs);
78	if (!cRefs)
79	{
80	VBoxCredProvVerbose(0, "VBoxCredProvCredential: Calling destructor\n");
81	delete this;
82	}
83	return cRefs;
84	}
85
86
87	HRESULT
88	VBoxCredProvCredential::QueryInterface(REFIID interfaceID, void **ppvInterface)
89	{
90	HRESULT hr = S_OK;;
91	if (ppvInterface)
92	{
93	if ( IID_IUnknown == interfaceID
94	\|\| IID_ICredentialProviderCredential == interfaceID)
95	{
96	ppvInterface = static_cast<IUnknown>(this);
97	reinterpret_cast<IUnknown>(ppvInterface)->AddRef();
98	}
99	else
100	{
101	*ppvInterface = NULL;
102	hr = E_NOINTERFACE;
103	}
104	}
105	else
106	hr = E_INVALIDARG;
107
108	return hr;
109	}
110
111
112	/**
113	* Assigns or copies a RTUTF16 string to a UNICODE_STRING.
114	*
115	* When fCopy is false, this does not copy its contents
116	* and only assigns its code points to the destination!
117	* When fCopy is true, the actual string buffer gets copied.
118	*
119	* Does not take terminating \0 into account.
120	*
121	* @return HRESULT
122	* @param pUnicodeDest Unicode string assigning the UTF16 string to.
123	* @param pwszSource UTF16 string to assign.
124	* @param fCopy Whether to just assign or copy the actual buffer
125	* contents from source -> dest.
126	*/
127	HRESULT
128	VBoxCredProvCredential::RTUTF16ToUnicode(PUNICODE_STRING pUnicodeDest, PRTUTF16 pwszSource, bool fCopy)
129	{
130	AssertPtrReturn(pUnicodeDest, E_POINTER);
131	AssertPtrReturn(pwszSource, E_POINTER);
132
133	size_t cbLen = RTUtf16Len(pwszSource) * sizeof(RTUTF16);
134	AssertReturn(cbLen <= USHORT_MAX, E_INVALIDARG);
135
136	HRESULT hr;
137
138	if (fCopy)
139	{
140	if (cbLen <= pUnicodeDest->MaximumLength)
141	{
142	memcpy(pUnicodeDest->Buffer, pwszSource, cbLen);
143	pUnicodeDest->Length = (USHORT)cbLen;
144	hr = S_OK;
145	}
146	else
147	hr = E_INVALIDARG;
148	}
149	else /* Just assign the buffer. */
150	{
151	pUnicodeDest->Buffer = pwszSource;
152	pUnicodeDest->Length = (USHORT)cbLen;
153	hr = S_OK;
154	}
155
156	return hr;
157	}
158
159
160	HRESULT
161	VBoxCredProvCredential::AllocateLogonPackage(const KERB_INTERACTIVE_UNLOCK_LOGON &rUnlockLogon, PBYTE ppPackage, DWORD pcbPackage)
162	{
163	AssertPtrReturn(ppPackage, E_INVALIDARG);
164	AssertPtrReturn(pcbPackage, E_INVALIDARG);
165
166	const KERB_INTERACTIVE_LOGON *pLogonIn = &rUnlockLogon.Logon;
167
168	/*
169	* First, allocate enough space for the logon structure itself and separate
170	* string buffers right after it to store the actual user, password and domain
171	* credentials.
172	*/
173	DWORD cbLogon = sizeof(KERB_INTERACTIVE_UNLOCK_LOGON)
174	+ pLogonIn->LogonDomainName.Length +
175	+ pLogonIn->UserName.Length +
176	+ pLogonIn->Password.Length;
177
178	#ifdef DEBUG
179	VBoxCredProvVerbose(3, "VBoxCredProvCredential::AllocateLogonPackage: Allocating %ld bytes (%d bytes credentials)\n",
180	cbLogon, cbLogon - sizeof(KERB_INTERACTIVE_UNLOCK_LOGON));
181	#endif
182
183	KERB_INTERACTIVE_UNLOCK_LOGON pLogon = (KERB_INTERACTIVE_UNLOCK_LOGON)CoTaskMemAlloc(cbLogon);
184	if (!pLogon)
185	return E_OUTOFMEMORY;
186
187	/* Let our byte buffer point to the end of our allocated structure so that it can
188	* be used to store the credential data sequentially in a binary blob
189	* (without terminating \0). */
190	PBYTE pbBuffer = (PBYTE)pLogon + sizeof(KERB_INTERACTIVE_UNLOCK_LOGON);
191
192	/* The buffer of the packed destination string does not contain the actual
193	* string content but a relative offset starting at the given
194	* KERB_INTERACTIVE_UNLOCK_LOGON structure. */
195	#define KERB_CRED_INIT_PACKED(StringDst, StringSrc, LogonOffset) \
196	StringDst.Length = StringSrc.Length; \
197	StringDst.MaximumLength = StringSrc.Length; \
198	StringDst.Buffer = (PWSTR)pbBuffer; \
199	memcpy(StringDst.Buffer, StringSrc.Buffer, StringDst.Length); \
200	StringDst.Buffer = (PWSTR)(pbBuffer - (PBYTE)LogonOffset); \
201	pbBuffer += StringDst.Length;
202
203	RT_BZERO(&pLogon->LogonId, sizeof(LUID));
204
205	KERB_INTERACTIVE_LOGON *pLogonOut = &pLogon->Logon;
206	pLogonOut->MessageType = pLogonIn->MessageType;
207
208	KERB_CRED_INIT_PACKED(pLogonOut->LogonDomainName, pLogonIn->LogonDomainName, pLogon);
209	KERB_CRED_INIT_PACKED(pLogonOut->UserName , pLogonIn->UserName, pLogon);
210	KERB_CRED_INIT_PACKED(pLogonOut->Password , pLogonIn->Password, pLogon);
211
212	*ppPackage = (PBYTE)pLogon;
213	*pcbPackage = cbLogon;
214
215	#undef KERB_CRED_INIT_PACKED
216
217	return S_OK;
218	}
219
220
221	/**
222	* Resets (wipes) stored credentials.
223	*
224	* @return HRESULT
225	*/
226	HRESULT
227	VBoxCredProvCredential::Reset(void)
228	{
229
230	VBoxCredProvVerbose(0, "VBoxCredProvCredential::Reset: Wiping credentials user=%ls, pw=%ls, domain=%ls\n",
231	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
232	#ifdef DEBUG
233	m_apwszCredentials[VBOXCREDPROV_FIELDID_PASSWORD],
234	#else
235	L"XXX" /* Don't show any passwords in release mode. */,
236	#endif
237	m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]);
238
239	VbglR3CredentialsDestroyUtf16(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
240	m_apwszCredentials[VBOXCREDPROV_FIELDID_PASSWORD],
241	m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME],
242	3 /* Passes */);
243	HRESULT hr = S_OK;
244	if (m_pEvents)
245	{
246	/* Note: On Windows 8, set "this" to "nullptr". */
247	HRESULT hr2 = m_pEvents->SetFieldString(this, VBOXCREDPROV_FIELDID_USERNAME, L"");
248	if (SUCCEEDED(hr))
249	hr = hr2;
250	hr2 = m_pEvents->SetFieldString(this, VBOXCREDPROV_FIELDID_PASSWORD, L"");
251	if (SUCCEEDED(hr))
252	hr = hr2;
253	hr2 = m_pEvents->SetFieldString(this, VBOXCREDPROV_FIELDID_DOMAINNAME, L"");
254	if (SUCCEEDED(hr))
255	hr = hr2;
256	}
257
258	VBoxCredProvVerbose(0, "VBoxCredProvCredential::Reset: Returned hr=%08x\n", hr);
259	return hr;
260	}
261
262
263	/**
264	* Checks and retrieves credentials provided by the host + does account lookup on eventually
265	* renamed user accounts.
266	*
267	* @return IPRT status code.
268	*/
269	int
270	VBoxCredProvCredential::RetrieveCredentials(void)
271	{
272	int rc = VbglR3CredentialsQueryAvailability();
273	if (RT_SUCCESS(rc))
274	{
275	/*
276	* Set status to "terminating" to let the host know this module now
277	* tries to receive and use passed credentials so that credentials from
278	* the host won't be sent twice.
279	*/
280	VBoxCredProvReportStatus(VBoxGuestFacilityStatus_Terminating);
281
282	rc = VbglR3CredentialsRetrieveUtf16(&m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
283	&m_apwszCredentials[VBOXCREDPROV_FIELDID_PASSWORD],
284	&m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]);
285
286	VBoxCredProvVerbose(0, "VBoxCredProvCredential::RetrieveCredentials: Retrieved credentials with rc=%Rrc\n", rc);
287	}
288
289	if (RT_SUCCESS(rc))
290	{
291	VBoxCredProvVerbose(0, "VBoxCredProvCredential::RetrieveCredentials: User=%ls, Password=%ls, Domain=%ls\n",
292	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
293	#ifdef DEBUG
294	m_apwszCredentials[VBOXCREDPROV_FIELDID_PASSWORD],
295	#else
296	L"XXX" /* Don't show any passwords in release mode. */,
297	#endif
298	m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]);
299
300	/*
301	* In case we got a "display name" (e.g. "John Doe")
302	* instead of the real user name (e.g. "jdoe") we have
303	* to translate the data first ...
304	*/
305	PWSTR pwszAcount;
306	if (TranslateAccountName(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME], &pwszAcount))
307	{
308	VBoxCredProvVerbose(0, "VBoxCredProvCredential::RetrieveCredentials: Translated account name %ls -> %ls\n",
309	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME], pwszAcount);
310
311	if (m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME])
312	{
313	RTMemWipeThoroughly(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
314	RTUtf16Len(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME]) + sizeof(RTUTF16),
315	3 /* Passes */);
316	RTUtf16Free(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME]);
317	}
318	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME] = pwszAcount;
319	}
320	else
321	{
322	/*
323	* Okay, no display name, but maybe it's a
324	* principal name from which we have to extract the domain from?
325	* (jdoe@my-domain.sub.net.com -> jdoe in domain my-domain.sub.net.com.)
326	*/
327	PWSTR pwszDomain;
328	if (ExtractAccoutData(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
329	&pwszAcount, &pwszDomain))
330	{
331	/* Update user name. */
332	if (m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME])
333	{
334	RTMemWipeThoroughly(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
335	RTUtf16Len(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME]) + sizeof(RTUTF16),
336	3 /* Passes */);
337	RTUtf16Free(m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME]);
338	}
339	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME] = pwszAcount;
340
341	/* Update domain. */
342	if (m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME])
343	{
344	RTMemWipeThoroughly(m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME],
345	RTUtf16Len(m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]) + sizeof(RTUTF16),
346	3 /* Passes */);
347	RTUtf16Free(m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]);
348	}
349	m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME] = pwszDomain;
350
351	VBoxCredProvVerbose(0, "VBoxCredProvCredential::RetrieveCredentials: Extracted account data pwszAccount=%ls, pwszDomain=%ls\n",
352	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
353	m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]);
354	}
355	}
356
357	m_fHaveCreds = true;
358	}
359	else
360	{
361	/* If credentials already were retrieved by a former call, don't try to retrieve new ones
362	* and just report back the already retrieved ones. */
363	if (m_fHaveCreds)
364	{
365	VBoxCredProvVerbose(0, "VBoxCredProvCredential::RetrieveCredentials: Credentials already retrieved\n");
366	rc = VINF_SUCCESS;
367	}
368	}
369
370	VBoxCredProvVerbose(0, "VBoxCredProvCredential::RetrieveCredentials: Returned rc=%Rrc\n", rc);
371	return rc;
372	}
373
374
375	/**
376	* Initializes this credential with the current credential provider
377	* usage scenario.
378	*/
379	HRESULT
380	VBoxCredProvCredential::Initialize(CREDENTIAL_PROVIDER_USAGE_SCENARIO enmUsageScenario)
381	{
382	VBoxCredProvVerbose(0, "VBoxCredProvCredential::Initialize: enmUsageScenario=%ld\n", enmUsageScenario);
383	m_enmUsageScenario = enmUsageScenario;
384	return S_OK;
385	}
386
387
388	/**
389	* Called by LogonUI when it needs this credential's advice.
390	*
391	* At the moment we only grab the credential provider events so that we can
392	* trigger a re-enumeration of the credentials later.
393	*/
394	HRESULT
395	VBoxCredProvCredential::Advise(ICredentialProviderCredentialEvents *pEvents)
396	{
397	VBoxCredProvVerbose(0, "VBoxCredProvCredential::Advise: pEvents=0x%p\n",
398	pEvents);
399
400	if (m_pEvents)
401	{
402	m_pEvents->Release();
403	m_pEvents = NULL;
404	}
405
406	m_pEvents = pEvents;
407	if (m_pEvents)
408	m_pEvents->AddRef();
409
410	return S_OK;
411	}
412
413
414	/**
415	* Called by LogonUI when it's finished with handling this credential.
416	*
417	* We only need to release the credential provider events, if any.
418	*/
419	HRESULT
420	VBoxCredProvCredential::UnAdvise(void)
421	{
422	VBoxCredProvVerbose(0, "VBoxCredProvCredential::UnAdvise\n");
423
424	if (m_pEvents)
425	{
426	m_pEvents->Release();
427	m_pEvents = NULL;
428	}
429
430	return S_OK;
431	}
432
433
434	/**
435	* Called by LogonUI when a user profile (tile) has been selected.
436	*
437	* As we don't want Winlogon to try logging in immediately we set pfAutoLogon
438	* to FALSE (if set).
439	*/
440	HRESULT
441	VBoxCredProvCredential::SetSelected(PBOOL pfAutoLogon)
442	{
443	VBoxCredProvVerbose(0, "VBoxCredProvCredential::SetSelected\n");
444
445	/*
446	* Don't do auto logon here because it would retry too often with
447	* every credential field (user name, password, domain, ...) which makes
448	* winlogon wait before new login attempts can be made.
449	*/
450	if (pfAutoLogon)
451	*pfAutoLogon = FALSE;
452	return S_OK;
453	}
454
455
456	/**
457	* Called by LogonUI when a user profile (tile) has been unselected again.
458	*/
459	HRESULT
460	VBoxCredProvCredential::SetDeselected(void)
461	{
462	VBoxCredProvVerbose(0, "VBoxCredProvCredential::SetDeselected\n");
463
464	Reset();
465
466	if (m_pEvents)
467	m_pEvents->SetFieldString(this, VBOXCREDPROV_FIELDID_PASSWORD, L"");
468
469	return S_OK;
470	}
471
472
473	/**
474	* Called by LogonUI to retrieve the (interactive) state of a UI field.
475	*/
476	HRESULT
477	VBoxCredProvCredential::GetFieldState(DWORD dwFieldID, CREDENTIAL_PROVIDER_FIELD_STATE *pFieldState,
478	CREDENTIAL_PROVIDER_FIELD_INTERACTIVE_STATE *pFieldstateInteractive)
479	{
480	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetFieldState: dwFieldID=%ld\n", dwFieldID);
481
482	HRESULT hr = S_OK;
483
484	if ( (dwFieldID < VBOXCREDPROV_NUM_FIELDS)
485	&& pFieldState
486	&& pFieldstateInteractive)
487	{
488	*pFieldState = s_VBoxCredProvFields[dwFieldID].state;
489	*pFieldstateInteractive = s_VBoxCredProvFields[dwFieldID].stateInteractive;
490	}
491	else
492	hr = E_INVALIDARG;
493
494	return hr;
495	}
496
497
498	/**
499	* Searches the account name based on a display (real) name (e.g. "John Doe" -> "jdoe").
500	* Result "ppwszAccoutName" needs to be freed with CoTaskMemFree!
501	*/
502	BOOL
503	VBoxCredProvCredential::TranslateAccountName(PWSTR pwszDisplayName, PWSTR *ppwszAccoutName)
504	{
505	AssertPtrReturn(pwszDisplayName, FALSE);
506	VBoxCredProvVerbose(0, "VBoxCredProvCredential::TranslateAccountName: Getting account name for \"%ls\" ...\n",
507	pwszDisplayName);
508
509	/** @todo Do we need ADS support (e.g. TranslateNameW) here? */
510	BOOL fFound = FALSE; /* Did we find the desired user? */
511	NET_API_STATUS rcStatus;
512	DWORD dwLevel = 2; /* Detailed information about user accounts. */
513	DWORD dwPrefMaxLen = MAX_PREFERRED_LENGTH;
514	DWORD dwEntriesRead = 0;
515	DWORD dwTotalEntries = 0;
516	DWORD dwResumeHandle = 0;
517	LPUSER_INFO_2 pBuf = NULL;
518	LPUSER_INFO_2 pCurBuf = NULL;
519	do
520	{
521	rcStatus = NetUserEnum(NULL, /* Server name, NULL for localhost. */
522	dwLevel,
523	FILTER_NORMAL_ACCOUNT,
524	(LPBYTE*)&pBuf,
525	dwPrefMaxLen,
526	&dwEntriesRead,
527	&dwTotalEntries,
528	&dwResumeHandle);
529	if ( rcStatus == NERR_Success
530	\|\| rcStatus == ERROR_MORE_DATA)
531	{
532	if ((pCurBuf = pBuf) != NULL)
533	{
534	for (DWORD i = 0; i < dwEntriesRead; i++)
535	{
536	/*
537	* Search for the "display name" - that might be
538	* "John Doe" or something similar the user recognizes easier
539	* and may not the same as the "account" name (e.g. "jdoe").
540	*/
541	if ( pCurBuf
542	&& pCurBuf->usri2_full_name
543	&& StrCmpI(pwszDisplayName, pCurBuf->usri2_full_name) == 0)
544	{
545	/*
546	* Copy the real user name (e.g. "jdoe") to our
547	* output buffer.
548	*/
549	LPWSTR pwszTemp;
550	HRESULT hr = SHStrDupW(pCurBuf->usri2_name, &pwszTemp);
551	if (hr == S_OK)
552	{
553	*ppwszAccoutName = pwszTemp;
554	fFound = TRUE;
555	}
556	else
557	VBoxCredProvVerbose(0, "VBoxCredProvCredential::TranslateAccountName: Error copying data, hr=%08x\n", hr);
558	break;
559	}
560	pCurBuf++;
561	}
562	}
563	if (pBuf != NULL)
564	{
565	NetApiBufferFree(pBuf);
566	pBuf = NULL;
567	}
568	}
569	} while (rcStatus == ERROR_MORE_DATA && !fFound);
570
571	if (pBuf != NULL)
572	{
573	NetApiBufferFree(pBuf);
574	pBuf = NULL;
575	}
576
577	VBoxCredProvVerbose(0, "VBoxCredProvCredential::TranslateAccountName returned rcStatus=%ld, fFound=%RTbool\n",
578	rcStatus, fFound);
579	return fFound;
580
581	#if 0
582	DWORD dwErr = NO_ERROR;
583	ULONG cbLen = 0;
584	if ( TranslateNameW(pwszName, NameUnknown, NameUserPrincipal, NULL, &cbLen)
585	&& cbLen > 0)
586	{
587	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetAccountName: Translated ADS name has %u characters\n", cbLen));
588
589	ppwszAccoutName = (PWSTR)RTMemAlloc(cbLen * sizeof(WCHAR));
590	AssertPtrReturn(pwszName, FALSE);
591	if (TranslateNameW(pwszName, NameUnknown, NameUserPrincipal, ppwszAccoutName, &cbLen))
592	{
593	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetAccountName: Real ADS account name of '%ls' is '%ls'\n",
594	pwszName, ppwszAccoutName));
595	}
596	else
597	{
598	RTMemFree(ppwszAccoutName);
599	dwErr = GetLastError();
600	}
601	}
602	else
603	dwErr = GetLastError();
604	/* The above method for looking up in ADS failed, try another one. */
605	if (dwErr != NO_ERROR)
606	{
607	dwErr = NO_ERROR;
608
609	}
610	#endif
611	}
612
613
614	/**
615	* Extracts the actual account name & domain from a (raw) account data string.
616	*
617	* This might be a principal or FQDN string.
618	*/
619	BOOL
620	VBoxCredProvCredential::ExtractAccoutData(PWSTR pwszAccountData, PWSTR ppwszAccoutName, PWSTR ppwszDomain)
621	{
622	AssertPtrReturn(pwszAccountData, FALSE);
623	VBoxCredProvVerbose(0, "VBoxCredProvCredential::ExtractAccoutData: Getting account name for \"%ls\" ...\n",
624	pwszAccountData);
625	HRESULT hr = E_FAIL;
626
627	/* Try to figure out whether this is a principal name (user@domain). */
628	LPWSTR pPos = NULL;
629	if ( (pPos = StrChrW(pwszAccountData, L'@')) != NULL
630	&& pPos != pwszAccountData)
631	{
632	size_t cbSize = (pPos - pwszAccountData) * sizeof(WCHAR);
633	LPWSTR pwszName = (LPWSTR)CoTaskMemAlloc(cbSize + sizeof(WCHAR)); /* Space for terminating zero. */
634	LPWSTR pwszDomain = NULL;
635	AssertPtr(pwszName);
636	hr = StringCbCopyN(pwszName, cbSize + sizeof(WCHAR), pwszAccountData, cbSize);
637	if (SUCCEEDED(hr))
638	{
639	*ppwszAccoutName = pwszName;
640	pPos++; / Skip @, point to domain name (if any). */
641	if ( pPos != NULL
642	&& *pPos != L'\0')
643	{
644	hr = SHStrDupW(pPos, &pwszDomain);
645	if (SUCCEEDED(hr))
646	{
647	*ppwszDomain = pwszDomain;
648	}
649	else
650	VBoxCredProvVerbose(0, "VBoxCredProvCredential::ExtractAccoutData: Error copying domain data, hr=%08x\n", hr);
651	}
652	else
653	{
654	hr = E_FAIL;
655	VBoxCredProvVerbose(0, "VBoxCredProvCredential::ExtractAccoutData: No domain name found!\n");
656	}
657	}
658	else
659	VBoxCredProvVerbose(0, "VBoxCredProvCredential::ExtractAccoutData: Error copying account data, hr=%08x\n", hr);
660
661	if (hr != S_OK)
662	{
663	CoTaskMemFree(pwszName);
664	if (pwszDomain)
665	CoTaskMemFree(pwszDomain);
666	}
667	}
668	else
669	VBoxCredProvVerbose(0, "VBoxCredProvCredential::ExtractAccoutData: No valid principal account name found!\n");
670
671	return (hr == S_OK);
672	}
673
674
675	/**
676	* Returns the value of a specified LogonUI field.
677	*
678	* @return IPRT status code.
679	* @param dwFieldID Field ID to get value for.
680	* @param ppwszString Pointer that receives the actual value of the specified field.
681	*/
682	HRESULT
683	VBoxCredProvCredential::GetStringValue(DWORD dwFieldID, PWSTR *ppwszString)
684	{
685	HRESULT hr;
686	if ( dwFieldID < VBOXCREDPROV_NUM_FIELDS
687	&& ppwszString)
688	{
689	switch (dwFieldID)
690	{
691	case VBOXCREDPROV_FIELDID_SUBMIT_BUTTON:
692	/* Fill in standard value to make Winlogon happy. */
693	hr = SHStrDupW(L"Submit", ppwszString);
694	break;
695
696	default:
697	if ( m_apwszCredentials[dwFieldID]
698	&& RTUtf16Len(m_apwszCredentials[dwFieldID]))
699	hr = SHStrDupW(m_apwszCredentials[dwFieldID], ppwszString);
700	else /* Fill in an empty value. */
701	hr = SHStrDupW(L"", ppwszString);
702	break;
703	}
704	#ifdef DEBUG
705	if (SUCCEEDED(hr))
706	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetStringValue: dwFieldID=%ld, ppwszString=%ls\n",
707	dwFieldID, *ppwszString);
708	#endif
709	}
710	else
711	hr = E_INVALIDARG;
712	return hr;
713	}
714
715
716	/**
717	* Returns back the field ID of which the submit button should be put next to.
718	*
719	* We always want to be the password field put next to the submit button
720	* currently.
721	*
722	* @return HRESULT
723	* @param dwFieldID Field ID of the submit button.
724	* @param pdwAdjacentTo Field ID where to put the submit button next to.
725	*/
726	HRESULT
727	VBoxCredProvCredential::GetSubmitButtonValue(DWORD dwFieldID, DWORD *pdwAdjacentTo)
728	{
729	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSubmitButtonValue: dwFieldID=%ld\n",
730	dwFieldID);
731
732	HRESULT hr = S_OK;
733
734	/* Validate parameters. */
735	if ( dwFieldID == VBOXCREDPROV_FIELDID_SUBMIT_BUTTON
736	&& pdwAdjacentTo)
737	{
738	/* pdwAdjacentTo is a pointer to the fieldID you want the submit button to appear next to. */
739	*pdwAdjacentTo = VBOXCREDPROV_FIELDID_PASSWORD;
740	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSubmitButtonValue: dwFieldID=%ld, *pdwAdjacentTo=%ld\n",
741	dwFieldID, *pdwAdjacentTo);
742	}
743	else
744	hr = E_INVALIDARG;
745
746	return hr;
747	}
748
749
750	/**
751	* Sets the value of a specified field. Currently not used.
752	*
753	* @return HRESULT
754	* @param dwFieldID Field to set value for.
755	* @param pcwzString Actual value to set.
756	*/
757	HRESULT
758	VBoxCredProvCredential::SetStringValue(DWORD dwFieldID, PCWSTR pcwzString)
759	{
760	#ifdef DEBUG
761	VBoxCredProvVerbose(0, "VBoxCredProvCredential::SetStringValue: dwFieldID=%ld, pcwzString=%ls\n",
762	dwFieldID, pcwzString);
763	#endif
764
765	/* Do more things here later. */
766	HRESULT hr = S_OK;
767
768	VBoxCredProvVerbose(0, "VBoxCredProvCredential::SetStringValue returned with hr=%08x\n", hr);
769	return hr;
770	}
771
772
773	HRESULT
774	VBoxCredProvCredential::GetBitmapValue(DWORD dwFieldID, HBITMAP *phBitmap)
775	{
776	NOREF(dwFieldID);
777	NOREF(phBitmap);
778
779	/* We don't do own bitmaps. */
780	return E_NOTIMPL;
781	}
782
783
784	HRESULT
785	VBoxCredProvCredential::GetCheckboxValue(DWORD dwFieldID, BOOL pfChecked, PWSTR ppwszLabel)
786	{
787	NOREF(dwFieldID);
788	NOREF(pfChecked);
789	NOREF(ppwszLabel);
790	return E_NOTIMPL;
791	}
792
793
794	HRESULT
795	VBoxCredProvCredential::GetComboBoxValueCount(DWORD dwFieldID, DWORD pcItems, DWORD pdwSelectedItem)
796	{
797	NOREF(dwFieldID);
798	NOREF(pcItems);
799	NOREF(pdwSelectedItem);
800	return E_NOTIMPL;
801	}
802
803
804	HRESULT
805	VBoxCredProvCredential::GetComboBoxValueAt(DWORD dwFieldID, DWORD dwItem, PWSTR *ppwszItem)
806	{
807	NOREF(dwFieldID);
808	NOREF(dwItem);
809	NOREF(ppwszItem);
810	return E_NOTIMPL;
811	}
812
813
814	HRESULT
815	VBoxCredProvCredential::SetCheckboxValue(DWORD dwFieldID, BOOL fChecked)
816	{
817	NOREF(dwFieldID);
818	NOREF(fChecked);
819	return E_NOTIMPL;
820	}
821
822
823	HRESULT
824	VBoxCredProvCredential::SetComboBoxSelectedValue(DWORD dwFieldId, DWORD dwSelectedItem)
825	{
826	NOREF(dwFieldId);
827	NOREF(dwSelectedItem);
828	return E_NOTIMPL;
829	}
830
831
832	HRESULT
833	VBoxCredProvCredential::CommandLinkClicked(DWORD dwFieldID)
834	{
835	NOREF(dwFieldID);
836	return E_NOTIMPL;
837	}
838
839
840	/**
841	* Does the actual authentication stuff to attempt a login.
842	*
843	* @return HRESULT
844	* @param pcpGetSerializationResponse Credential serialization response.
845	* @param pcpCredentialSerialization Details about the current credential.
846	* @param ppwszOptionalStatusText Text to set. Optional.
847	* @param pcpsiOptionalStatusIcon Status icon to set. Optional.
848	*/
849	HRESULT
850	VBoxCredProvCredential::GetSerialization(CREDENTIAL_PROVIDER_GET_SERIALIZATION_RESPONSE *pcpGetSerializationResponse,
851	CREDENTIAL_PROVIDER_CREDENTIAL_SERIALIZATION *pcpCredentialSerialization,
852	PWSTR *ppwszOptionalStatusText,
853	CREDENTIAL_PROVIDER_STATUS_ICON *pcpsiOptionalStatusIcon)
854	{
855	NOREF(ppwszOptionalStatusText);
856	NOREF(pcpsiOptionalStatusIcon);
857
858	KERB_INTERACTIVE_UNLOCK_LOGON KerberosUnlockLogon;
859	RT_BZERO(&KerberosUnlockLogon, sizeof(KerberosUnlockLogon));
860
861	/* Save a pointer to the interactive logon struct. */
862	KERB_INTERACTIVE_LOGON *pKerberosLogon = &KerberosUnlockLogon.Logon;
863	AssertPtr(pKerberosLogon);
864
865	HRESULT hr;
866
867	#ifdef DEBUG
868	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization: Username=%ls, Password=%ls, Domain=%ls\n",
869	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
870	m_apwszCredentials[VBOXCREDPROV_FIELDID_PASSWORD],
871	m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]);
872	#endif
873
874	/* Do we have a domain name set? */
875	if ( m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]
876	&& RTUtf16Len(m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME]))
877	{
878	hr = RTUTF16ToUnicode(&pKerberosLogon->LogonDomainName,
879	m_apwszCredentials[VBOXCREDPROV_FIELDID_DOMAINNAME],
880	false /* Just assign, no copy */);
881	}
882	else /* No domain (FQDN) given, try local computer name. */
883	{
884	WCHAR wszComputerName[MAX_COMPUTERNAME_LENGTH + 1];
885	DWORD cch = ARRAYSIZE(wszComputerName);
886	if (GetComputerNameW(wszComputerName, &cch))
887	{
888	/* Is a domain name missing? Then use the name of the local computer. */
889	hr = RTUTF16ToUnicode(&pKerberosLogon->LogonDomainName,
890	wszComputerName,
891	false /* Just assign, no copy */);
892
893	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization: Local computer name=%ls\n",
894	wszComputerName);
895	}
896	else
897	hr = HRESULT_FROM_WIN32(GetLastError());
898	}
899
900	/* Fill in the username and password. */
901	if (SUCCEEDED(hr))
902	{
903	hr = RTUTF16ToUnicode(&pKerberosLogon->UserName,
904	m_apwszCredentials[VBOXCREDPROV_FIELDID_USERNAME],
905	false /* Just assign, no copy */);
906	if (SUCCEEDED(hr))
907	{
908	hr = RTUTF16ToUnicode(&pKerberosLogon->Password,
909	m_apwszCredentials[VBOXCREDPROV_FIELDID_PASSWORD],
910	false /* Just assign, no copy */);
911	if (SUCCEEDED(hr))
912	{
913	/* Set credential type according to current usage scenario. */
914	AssertPtr(pKerberosLogon);
915	switch (m_enmUsageScenario)
916	{
917	case CPUS_UNLOCK_WORKSTATION:
918	pKerberosLogon->MessageType = KerbWorkstationUnlockLogon;
919	break;
920
921	case CPUS_LOGON:
922	pKerberosLogon->MessageType = KerbInteractiveLogon;
923	break;
924
925	case CPUS_CREDUI:
926	pKerberosLogon->MessageType = (KERB_LOGON_SUBMIT_TYPE)0; /* No message type required here. */
927	break;
928
929	default:
930	hr = E_FAIL;
931	break;
932	}
933
934	if (FAILED(hr))
935	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization: Unknown usage scenario=%ld\n", m_enmUsageScenario);
936
937	if (SUCCEEDED(hr)) /* Build the logon package. */
938	{
939	hr = AllocateLogonPackage(KerberosUnlockLogon,
940	&pcpCredentialSerialization->rgbSerialization,
941	&pcpCredentialSerialization->cbSerialization);
942	if (FAILED(hr))
943	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization: Failed to allocate logon package, hr=0x%08x\n", hr);
944	}
945
946	if (SUCCEEDED(hr))
947	{
948	ULONG ulAuthPackage;
949
950	HANDLE hLsa;
951	NTSTATUS s = LsaConnectUntrusted(&hLsa);
952	if (SUCCEEDED(HRESULT_FROM_NT(s)))
953	{
954	LSA_STRING lsaszKerberosName;
955	size_t cchKerberosName;
956	hr = StringCchLengthA(NEGOSSP_NAME_A, USHORT_MAX, &cchKerberosName);
957	if (SUCCEEDED(hr))
958	{
959	USHORT usLength;
960	hr = SizeTToUShort(cchKerberosName, &usLength);
961	if (SUCCEEDED(hr))
962	{
963	lsaszKerberosName.Buffer = (PCHAR)NEGOSSP_NAME_A;
964	lsaszKerberosName.Length = usLength;
965	lsaszKerberosName.MaximumLength = lsaszKerberosName.Length + 1;
966
967	}
968	}
969
970	if (SUCCEEDED(hr))
971	{
972	s = LsaLookupAuthenticationPackage(hLsa, &lsaszKerberosName,
973	&ulAuthPackage);
974	if (FAILED(HRESULT_FROM_NT(s)))
975	{
976	hr = HRESULT_FROM_NT(s);
977	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization: Failed looking up authentication package, hr=0x%08x\n", hr);
978	}
979	}
980
981	LsaDeregisterLogonProcess(hLsa);
982	}
983
984	if (SUCCEEDED(hr))
985	{
986	pcpCredentialSerialization->ulAuthenticationPackage = ulAuthPackage;
987	pcpCredentialSerialization->clsidCredentialProvider = CLSID_VBoxCredProvider;
988
989	/* We're done -- let the logon UI know. */
990	*pcpGetSerializationResponse = CPGSR_RETURN_CREDENTIAL_FINISHED;
991	}
992	}
993	}
994	else
995	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization: Error copying password, hr=0x%08x\n", hr);
996	}
997	else
998	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization: Error copying user name, hr=0x%08x\n", hr);
999	}
1000
1001	VBoxCredProvVerbose(0, "VBoxCredProvCredential::GetSerialization returned hr=0x%08x\n", hr);
1002	return hr;
1003	}
1004
1005
1006	/**
1007	* Called by LogonUI after a logon attempt was made -- here we could set an additional status
1008	* text and/or icon.
1009	*
1010	* Currently not used.
1011	*
1012	* @return HRESULT
1013	* @param ntStatus NT status of logon attempt reported by Winlogon.
1014	* @param ntSubStatus NT substatus of logon attempt reported by Winlogon.
1015	* @param ppwszOptionalStatusText Pointer that receives the optional status text.
1016	* @param pcpsiOptionalStatusIcon Pointer that receives the optional status icon.
1017	*/
1018	HRESULT
1019	VBoxCredProvCredential::ReportResult(NTSTATUS ntStatus,
1020	NTSTATUS ntSubStatus,
1021	PWSTR *ppwszOptionalStatusText,
1022	CREDENTIAL_PROVIDER_STATUS_ICON *pcpsiOptionalStatusIcon)
1023	{
1024	VBoxCredProvVerbose(0, "VBoxCredProvCredential::ReportResult: ntStatus=%ld, ntSubStatus=%ld\n",
1025	ntStatus, ntSubStatus);
1026	return S_OK;
1027	}
1028

Note: See TracBrowser for help on using the repository browser.

source: vbox/trunk/src/VBox/Additions/WINNT/VBoxCredProv/VBoxCredProvCredential.cpp@ 52002

Download in other formats: