public static void DecryptSecret(_RPC_UNICODE_STRING input, byte[] sessionKey, out _RPC_UNICODE_STRING output)
{
output = new _RPC_UNICODE_STRING();
uint blockLength = CRYPT_BLOCK_LENGTH; //encrypt every 8 bytes
uint keyLength = CRYPT_KEY_LENGTH; //used to compute output key
uint keyIndex = 0; //the key index of sessionKey
byte[] buffer = new byte[blockLength];
byte[] inputBuffer = new byte[input.Length];
Buffer.BlockCopy(input.Buffer, 0, inputBuffer, 0, input.Length);
DesEcbLmDecode(ArrayUtility.SubArray(inputBuffer, 0, (int)blockLength), sessionKey, out buffer);
//output.Length and version are combined in 8 bytes as the header, each of them occupys 4 bytes.
output.Length = TypeMarshal.ToStruct <ushort>(buffer);
uint version = TypeMarshal.ToStruct <uint>(ArrayUtility.SubArray(buffer, 4, sizeof(uint)));
byte[] outputBuffer = new byte[0];
if (version != CRYPT_VERSION)
{
throw new ArgumentException("failed in checking version.");
}
//get the next 7 bytes in sessionKey as the key of DesEcbLm
//if not enough,
keyIndex = AdvanceKey(keyIndex);
uint remaining = input.Length - blockLength;
uint count = 1;
while (remaining > blockLength)
{
DesEcbLmDecode(ArrayUtility.SubArray(inputBuffer, (int)(count * blockLength), (int)blockLength),
ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength), out buffer);
outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer);
keyIndex = AdvanceKey(keyIndex);
count++;
remaining -= blockLength;
}
if (remaining > 0)
{
byte[] temp = new byte[blockLength];
Buffer.BlockCopy(inputBuffer, (int)(count * blockLength), temp, 0, (int)remaining);
DesEcbLmDecode(temp, ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength),
out buffer);
outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer);
}
output.Buffer = new ushort[outputBuffer.Length / sizeof(ushort)];
output.MaximumLength = (ushort)outputBuffer.Length;
Buffer.BlockCopy(outputBuffer, 0, output.Buffer, 0, outputBuffer.Length);
}
public S4UDelegationInfo(string s4uProxyTarget, string[] s4uTransitedServices)
{
Type = PacInfoBufferType.S4U2Proxy;
_RPC_UNICODE_STRING[] tmp = new _RPC_UNICODE_STRING[s4uTransitedServices.Length];
int c = 0;
foreach (string s4uTransitedService in s4uTransitedServices)
{
tmp[c] = new _RPC_UNICODE_STRING(s4uTransitedService);
c += 1;
}
s4u = new _S4U_DELEGATION_INFO(new _RPC_UNICODE_STRING(s4uProxyTarget), s4uTransitedServices.Length, tmp);
}
public static void EncryptSecret(_RPC_UNICODE_STRING input, byte[] sessionKey, out _RPC_UNICODE_STRING output)
{
output = new _RPC_UNICODE_STRING();
uint blockLength = CRYPT_BLOCK_LENGTH; //encrypt every 8 bytes
uint keyLength = CRYPT_KEY_LENGTH; //used to compute output key
uint keyIndex = 0; //the key index of sessionKey
byte[] buffer = new byte[blockLength];
uint version = CRYPT_VERSION; //the version must be 1, defined in TD.
//copy input.Length and version to buffer, each of them occupys 4 bytes
//It's the encrypted data's header, when decrypting, the length and version would be decoded in
//the same format.
Array.Copy(BitConverter.GetBytes(input.Length), buffer, sizeof(ushort));
Array.Copy(BitConverter.GetBytes(version), 0, buffer, 4, sizeof(uint));
byte[] outputBuffer = new byte[buffer.Length];
DesEcbLmEncode(buffer, sessionKey, out outputBuffer);
byte[] inputBuffer = new byte[input.Length];
Buffer.BlockCopy(input.Buffer, 0, inputBuffer, 0, input.Length);
keyIndex = AdvanceKey(keyIndex);
uint remaining = input.Length;
uint count = 0;
while (remaining > blockLength)
{
DesEcbLmEncode(ArrayUtility.SubArray(inputBuffer, (int)(count * blockLength), (int)blockLength),
ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength), out buffer);
outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer);
keyIndex = AdvanceKey(keyIndex);
count++;
remaining -= blockLength;
}
if (remaining > 0)
{
byte[] temp = new byte[blockLength];
Buffer.BlockCopy(inputBuffer, (int)(count * blockLength), temp, 0, (int)remaining);
DesEcbLmEncode(temp, ArrayUtility.SubArray(sessionKey, (int)keyIndex, (int)keyLength),
out buffer);
outputBuffer = ArrayUtility.ConcatenateArrays(outputBuffer, buffer);
}
output.Length = (ushort)outputBuffer.Length;
output.MaximumLength = (ushort)outputBuffer.Length;
//output.Length is the length in bytes of output.Buffer
output.Buffer = new ushort[output.Length / sizeof(ushort)];
Buffer.BlockCopy(outputBuffer, 0, output.Buffer, 0, output.Length);
}
/// <summary>
/// Creates an S4uDelegationInfo instance using the specified s4U2proxyTarget and
/// s4UTransitedServices.
/// </summary>
/// <param name="s4U2proxyTarget">the name of the principal to whom the application
/// can be constraint delegated.</param>
/// <param name="s4UTransitedServices">The list of all services that configured to
/// be delegated.</param>
/// <returns>The created S4uDelegationInfo instance.</returns>
public static S4uDelegationInfo CreateS4uInfoBuffer(
string s4U2proxyTarget,
params string[] s4UTransitedServices)
{
S4uDelegationInfo s4uInfo = new S4uDelegationInfo();
s4uInfo.NativeS4uDelegationInfo.S4U2proxyTarget = DtypUtility.ToRpcUnicodeString(s4U2proxyTarget);
s4uInfo.NativeS4uDelegationInfo.TransitedListSize = (uint)s4UTransitedServices.Length;
_RPC_UNICODE_STRING[] transitedServiceArray = new _RPC_UNICODE_STRING[s4UTransitedServices.Length];
for (int i = 0; i < transitedServiceArray.Length; i++)
{
transitedServiceArray[i] = DtypUtility.ToRpcUnicodeString(s4UTransitedServices[i]);
}
s4uInfo.NativeS4uDelegationInfo.S4UTransitedServices = transitedServiceArray;
return(s4uInfo);
}
/// <summary>
/// Method to read the Wellknown Principal Names from ptfconfig file
/// which are given in Section 7.1.1.2.6 of ADTS document, and convert them into RPC_UNICODE_STRING format.
/// </summary>
/// <param name="numberOfUsers">Contains the number of well known users.</param>
/// <param name="securityPrincipals">The security principals of well known users.</param>
/// <param name="rpcNameBuffer">The RPC name.</param>
public static void InitializeWellknownPrincipalNames(
uint numberOfUsers,
string[] securityPrincipals,
ref _RPC_UNICODE_STRING[] rpcNameBuffer)
{
rpcNameBuffer = new _RPC_UNICODE_STRING[numberOfUsers];
nameString = new string[numberOfUsers];
for (int index = 0; index < numberOfUsers; index++)
{
nameString[index] = securityPrincipals[index];
char[] nameArray = new char[nameString[index].Length];
nameArray = nameString[index].ToCharArray();
rpcNameBuffer[index].Buffer = new ushort[nameArray.Length];
Array.Copy(nameArray, rpcNameBuffer[index].Buffer, nameArray.Length);
rpcNameBuffer[index].Length = (ushort)(2 * rpcNameBuffer[index].Buffer.Length);
rpcNameBuffer[index].MaximumLength = (ushort)(rpcNameBuffer[index].Length + 2);
}
}
public static _LSAPR_TRUSTED_DOMAIN_INFORMATION_EX[] DomainInformation(string testDomainName, int trustDirection)
{
_LSAPR_TRUSTED_DOMAIN_INFORMATION_EX[] DomainInformation = new _LSAPR_TRUSTED_DOMAIN_INFORMATION_EX[1];
_RPC_UNICODE_STRING[] DomainName = new _RPC_UNICODE_STRING[1];
GetTheDomainName(testDomainName, ref DomainName);
DomainName[0].Length = (ushort)(DomainName[0].Buffer.Length * 2);
DomainName[0].MaximumLength = (ushort)(2 + DomainName[0].Length);
DomainInformation[0].Name = new _RPC_UNICODE_STRING();
DomainInformation[0].Name = DomainName[0];
DomainInformation[0].FlatName = DomainName[0];
DomainInformation[0].Sid = Utilities.GetSid(testDomainName);
DomainInformation[0].TrustAttributes = MS_ADTS_SecurityRequirementsValidator.TrustAttributes;
DomainInformation[0].TrustDirection = (uint)trustDirection;
DomainInformation[0].TrustType = TrustType_Values.ActiveDirectory;
return(DomainInformation);
}
public ErrorStatus DeleteObject(
int handleInput,
ObjectEnum usedObject,
out Handle handleOutput)
{
_LSAPR_OBJECT_ATTRIBUTES[] objectAttributesForDelete = new _LSAPR_OBJECT_ATTRIBUTES[1];
_RPC_UNICODE_STRING[] SecretName = new _RPC_UNICODE_STRING[1];
IntPtr? deleteHandle = IntPtr.Zero;
IntPtr? PolicyHandle2 = IntPtr.Zero;
IntPtr? deletedHandle = IntPtr.Zero;
Hashtable htCheckHandle = new Hashtable();
if (TurstDomainFlag && usedObject == ObjectEnum.TrustDomainObject)
{
////Check if Interdomain Trust Account exist and is valid
bool isInterdomainTrustAccountExist = !CheckInterdomainTrustAccount();
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref validTrustHandle);
handleOutput = (IntPtr.Zero == validTrustHandle) ? Handle.Null : Handle.Invalid;
TurstDomainFlag = false;
////Check if interdomain trust account is deleted along with the trusted domain
if (isInterdomainTrustAccountExist)
{
#region MS-LSAD_R1062
// Add the comment information including the location information.
TestClassBase.BaseTestSite.Log.Add(LogEntryKind.Comment, "Verify MS-LSAD_R1062");
// Verify requirement 1062
TestClassBase.BaseTestSite.CaptureRequirement(
"MS-LSAD",
1062,
@"If the object being deleted is a trusted domain, then the server MUST also check whether
an interdomain trust account with name ""<Trusted Domain NetBIOS Name>$"" exists.");
#endregion
//// The server must delete that account along with the trusted domain, so check the accounts exists
//// or not We expect the trusted domain is not existed
#region MS-LSAD_R1063
// Add the comment information including the location information.
TestClassBase.BaseTestSite.Log.Add(LogEntryKind.Comment, "Verify MS-LSAD_R1063");
// Verify requirement 1063
TestClassBase.BaseTestSite.CaptureRequirement(
"MS-LSAD",
1063,
@"If an interdomain trust account with name ""<Trusted Domain NetBIOS Name>$""] exists,
the server MUST delete that account along with the trusted domain.");
#endregion
}
}
else
{
if (secretFlag && usedObject == ObjectEnum.SecretObject)
{
objectAttributesForDelete[0].RootDirectory = null;
IntPtr?tempSecretHandle = IntPtr.Zero;
IntPtr?tempSecretHandle2 = IntPtr.Zero;
IntPtr?objDeletHandle = IntPtr.Zero;
if (stSecretInformation.UIntSecretHandleAccessCount != handleInput)
{
utilities.nameOfSecretObject(ResOfNameChecked.Valid, ref SecretName);
lsadClientStack.LsarOpenPolicy(
utilities.ConversionfromStringtoushortArray("name"),
objectAttributesForDelete[0],
ACCESS_MASK.POLICY_CREATE_SECRET,
out PolicyHandle2);
lsadClientStack.LsarOpenSecret(
PolicyHandle2.Value,
SecretName[0],
ACCESS_MASK.DELETE,
out tempSecretHandle2);
if (tempSecretHandle2 != IntPtr.Zero)
{
lsadClientStack.LsarDeleteObject(ref tempSecretHandle2);
}
lsadClientStack.LsarCreateSecret(
PolicyHandle2.Value,
SecretName[0],
ACCESS_MASK.DELETE,
out tempSecretHandle);
lsadClientStack.LsarOpenSecret(
PolicyHandle2.Value,
SecretName[0],
ACCESS_MASK.DELETE,
out tempSecretHandle2);
lsadClientStack.LsarDeleteObject(ref tempSecretHandle);
deletedHandle = tempSecretHandle;
objDeletHandle = tempSecretHandle2;
}
else if ((uintAccessMask & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE)
{
objDeletHandle = objSecretHandle;
}
else if (stPolicyInformation.PHandle == handleInput)
{
objDeletHandle = PolicyHandle;
}
else
{
objDeletHandle = objSecretHandle;
}
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objDeletHandle);
deletedHandle = objDeletHandle;
handleOutput = (0 == uintMethodStatus) ? Handle.Null : Handle.Invalid;
}
else
{
uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED;
objAccountSid[0].Revision = 0x01;
uintMethodStatus = lsadClientStack.LsarOpenPolicy(
serverName,
objectAttributesForDelete[0],
uintDesrAccess,
out objPolicyHandle);
if (stPolicyInformation.PHandle == handleInput)
{
uintMethodStatus = lsadClientStack.LsarOpenPolicy(
serverName,
objectAttributesForDelete[0],
uintDesrAccess,
out objPolicyHandle);
deleteHandle = objPolicyHandle;
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objPolicyHandle);
deletedHandle = objPolicyHandle;
}
else if ((stPolicyInformation.PHandle + 1 != handleInput) ||
((htAccHandle.Count == 0) && (checkTrustHandle == false)))
{
#region Passing InvalidHandle
uintMethodStatus = lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out deleteHandle);
if (uintMethodStatus != 0)
{
uintMethodStatus = lsadClientStack.LsarCreateAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out deleteHandle);
}
uintMethodStatus = lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objAccountHandle);
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref deleteHandle);
#endregion Passing InvalidHandle
deleteHandle = objAccountHandle;
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objAccountHandle);
deletedHandle = objAccountHandle;
}
else
{
if (uintOpenAccAccess != 0)
{
objAccountSid[0].Revision = 0x01;
uintDesrAccess = ACCESS_MASK.MAXIMUM_ALLOWED;
}
else
{
uintDesrAccess = ACCESS_MASK.NONE;
htCheckHandle.Add("DeleteHandle", 0);
}
lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintDesrAccess,
out objAccountHandle);
deleteHandle = validAccountHandle;
if (uintOpenAccAccess != 0)
{
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref deleteHandle);
}
else
{
if ((checkTrustHandle == true) && (htAccHandle.Count == 0))
{
deleteHandle = validTrustHandle;
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref deleteHandle);
}
else
{
uintMethodStatus = lsadClientStack.LsarDeleteObject(ref objAccountHandle);
deletedHandle = objAccountHandle;
}
}
}
handleOutput = (IntPtr.Zero == deleteHandle) ? Handle.Null : Handle.Invalid;
}
if (secretFlag && usedObject == ObjectEnum.SecretObject)
{
if (stSecretInformation.UIntSecretHandleAccessCount != handleInput)
{
#region MS-LSAD_R844
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
844,
@"The server MUST make all subsequent requests to the deleted object fail with
STATUS_INVALID_HANDLE, even if the requests come in through other open handles.");
#endregion
}
else if ((uintAccessMask & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE)
{
#region MS-LSAD_R843
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
843,
@"The handle in LsarDeleteObject MUST have been opened for DELETE access,
and the server MUST fail the request with STATUS_ACCESS_DENIED otherwise.");
#endregion
}
else if (stPolicyInformation.PHandle == handleInput)
{
#region MS-LSAD_R842
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
842,
@"Policy objects cannot be deleted. Attempts to delete policy objects
MUST fail with STATUS_INVALID_PARAMETER.");
#endregion
}
else
{
#region MS-LSAD_R840
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
840,
@"LsarDeleteObject MUST return STATUS_SUCCESS if the request was
successfully completed.");
#endregion
#region MS-LSAD_R845
TestClassBase.BaseTestSite.CaptureRequirementIfIsTrue(
(((uint)uintMethodStatus == (uint)ErrorStatus.Success) && deletedHandle == IntPtr.Zero),
"MS-LSAD",
845,
@"The deleted ObjectHandle of LsarDeleteObject MUST be automatically closed by
the server; the caller need not close it.");
#endregion
}
if (objSecretHandle != IntPtr.Zero)
{
objectAttributesForDelete[0].RootDirectory = null;
utilities.nameOfSecretObject(ResOfNameChecked.Valid, ref SecretName);
lsadClientStack.LsarOpenPolicy2(
"name",
objectAttributesForDelete[0],
ACCESS_MASK.DELETE | ACCESS_MASK.POLICY_CREATE_SECRET,
out PolicyHandle2);
lsadClientStack.LsarCreateSecret(
PolicyHandle2.Value,
SecretName[0],
ACCESS_MASK.DELETE,
out objSecretHandle);
lsadClientStack.LsarOpenSecret(
PolicyHandle2.Value,
SecretName[0],
ACCESS_MASK.DELETE,
out objSecretHandle);
lsadClientStack.LsarDeleteObject(ref objSecretHandle);
}
secretFlag = false;
}
else
{
if (stPolicyInformation.PHandle == handleInput)
{
#region MS-LSAD_R842
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
842,
@"Policy objects cannot be deleted. Attempts to delete policy objects
MUST fail with STATUS_INVALID_PARAMETER.");
#endregion
}
else if ((stPolicyInformation.PHandle + 1 != handleInput) ||
((htAccHandle.Count == 0) && (checkTrustHandle == false)))
{
#region MS-LSAD_R841
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
841,
@"If the ObjectHandle of LsarDeleteObject is not a valid context handle to an object,
the server MUST return STATUS_INVALID_HANDLE.");
#endregion
#region MS-LSAD_R844
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
844,
@"The server MUST make all subsequent requests to the deleted object fail with
STATUS_INVALID_HANDLE, even if the requests come in through other open handles.");
#endregion
}
else if (((uintAccess & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE) &&
((uintOpenAccAccess & ACCESS_MASK.DELETE) != ACCESS_MASK.DELETE) &&
(htAccHandle.Count != 0))
{
#region MS-LSAD_R843
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
843,
@"The handle in LsarDeleteObject MUST have been opened for DELETE access,
and the server MUST fail the request with STATUS_ACCESS_DENIED otherwise.");
#endregion
}
else
{
NtStatus checkDeleteHandle = lsadClientStack.LsarOpenAccount(
objPolicyHandle.Value,
objAccountSid[0],
uintAccessMask,
out objAccountHandle);
if (checkDeleteHandle == (NtStatus)0xC0000034)
{
#region MS-LSAD_R840
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
840,
@"LsarDeleteObject MUST return STATUS_SUCCESS if the request was
successfully completed.");
#endregion
#region MS-LSAD_R845
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
845,
@"The deleted ObjectHandle of LsarDeleteObject MUST be automatically closed by
the server; the caller need not close it.");
#endregion
#region MS-LSAD_R224
TestClassBase.BaseTestSite.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
224,
@"Deleting an object to which the caller has an open handle (by calling
LsarDeleteObject), if successful, MUST also close the handle.");
#endregion
}
}
if (htAccHandle.Count != 0)
{
utilities.DeleteExistAccount();
htAccHandle.Remove("AccHandle");
}
utilities.CreateExistAccount(uintOpenAccAccess);
if (htAddAccRight.Count != 0)
{
htAddAccRight.Remove("htAddAccRight");
}
}
}
return((ErrorStatus)uintMethodStatus);
}
/// <summary>
/// The LookupPrivilegeValue method is invoked to map the name of a privilege
/// into a locally unique identifier (luid) by which it is known on the server.
/// The locally unique value of the privilege can then be used in subsequent calls
/// to other methods, such as LsarAddPrivilegesToAccount.
/// </summary>
/// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param>
/// <param name="name">It is for validating the privilege name passed in </param>
/// <param name="privilegeName">Contains privilege name </param>
/// <param name="luid">Out param contains valid or invalid
/// luid of the passed in privilege name </param>
/// <returns>Returns Success if the method is successful
/// Returns AccessDenied if the caller does not have the permissions to
/// perform this operation
/// Returns InvalidHandle if the passed in is a valid object handle
/// Returns InvalidParameter if one or more of the supplied parameters was invalid
/// Returns NoSuchPrivilege if the privilege name is not recognized by the server</returns>
public ErrorStatus LookupPrivilegeValue(
int handleInput,
ValidString name,
string privilegeName,
out PrivilegeLUID luid)
{
_RPC_UNICODE_STRING inputPrivilegeName = new _RPC_UNICODE_STRING();
Hashtable htPrivilegeNameNLUID = new Hashtable();
_LUID?outputPrivilegeLUID = new _LUID();
utilities.privilegeInformation(ref htPrivilegeNameNLUID);
if (name == ValidString.Invalid)
{
utilities.nameOfPrivilege(PrivilegeType.InValid, ref inputPrivilegeName);
inputPrivilegeName.Length = (ushort)((2 * inputPrivilegeName.Buffer.Length) + 1);
inputPrivilegeName.MaximumLength = (ushort)(inputPrivilegeName.Length + 2);
}
else if (stPolicyInformation.PHandle != handleInput)
{
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName);
utilities.inValidHandle();
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName);
}
else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName))
{
utilities.nameOfPrivilege(PrivilegeType.NoSuchPrivilege, ref inputPrivilegeName);
}
else
{
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName);
}
uintMethodStatus = lsadClientStack.LsarLookupPrivilegeValue(
PolicyHandle.Value,
inputPrivilegeName,
out outputPrivilegeLUID);
luid = (outputPrivilegeLUID.Value.HighPart == 0 & outputPrivilegeLUID.Value.LowPart == 0)
? PrivilegeLUID.Invalid : PrivilegeLUID.Valid;
if (name == ValidString.Invalid)
{
#region MS-LSAD_R807
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
807,
@"In LsarLookupPrivilegeValue method server MUST return STATUS_INVALID_PARAMETER
if One or more of the supplied parameters was invalid.");
#endregion
}
else if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R804
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
804,
@"In LsarLookupPrivilegeValue method,If PolicyHandle is not a valid context handle
to the policy object, the server MUST return STATUS_INVALID_HANDLE.");
#endregion
lsadClientStack.LsarDeleteObject(ref PolicyHandle);
PolicyHandle = utilities.tempPolicyHandle;
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
#region MS-LSAD_R805
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
805,
@"In PolicyHandle parameter of LsarLookupPrivilegeValue method, server MUST verify
that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise");
#endregion
}
else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName))
{
#region MS-LSAD_R806
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NoSuchPrivilege,
(uint)uintMethodStatus,
"MS-LSAD",
806,
@"In LsarLookupPrivilegeValue method , If the value in the Name argument is not
recognized by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE");
#endregion
}
else
{
htPrivilegeNameNLUID.Clear();
#region MS-LSAD_R808
if ((uint)ErrorStatus.Success == (uint)uintMethodStatus)
{
Site.CaptureRequirement(
"MS-LSAD",
808,
@"In LsarLookupPrivilegeValue method server MUST return STATUS_SUCCESS
if request is successfully completed.");
}
#endregion
}
return((ErrorStatus)uintMethodStatus);
}
/// <summary>
/// The LookupPrivilegeDisplayName method is invoked to map the name
/// of a privilege into a display text string in the caller's language.
/// </summary>
/// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param>
/// <param name="name">It is for validating the privilege name passed in </param>
/// <param name="privilegeName">Contains privilege name </param>
/// <param name="displayName">Out param contains valid or invalid
/// display text of the passed in privilegename </param>
/// <returns>Returns Success if the method is successful
/// Returns AccessDenied if the caller does not have the permissions to
/// perform this operation
/// Returns InvalidHandle if the passed in is a valid object handle
/// Returns InvalidParameter if one or more of the supplied parameters was invalid
/// Returns NoSuchPrivilege if the privilege luid is not recognized by the server</returns>
public ErrorStatus LookupPrivilegeDisplayName(
int handleInput,
ValidString name,
string privilegeName,
out ValidString displayName)
{
_RPC_UNICODE_STRING?inputPrivilegeName = new _RPC_UNICODE_STRING();
_RPC_UNICODE_STRING inputPrivilegeName1 = new _RPC_UNICODE_STRING();
_RPC_UNICODE_STRING?outputPrivilegeName = new _RPC_UNICODE_STRING();
Hashtable htPrivilegeNameNLUID = new Hashtable();
short shortClientLanguage = 0, shortClientSystemDefaultLanguage = 0;
ushort?ushortLanguageReturned = 0;
utilities.privilegeInformation(ref htPrivilegeNameNLUID);
inputPrivilegeName1 = (_RPC_UNICODE_STRING)inputPrivilegeName;
if (name == ValidString.Invalid)
{
shortClientLanguage = 9;
utilities.nameOfPrivilege(PrivilegeType.InValid, ref inputPrivilegeName1);
inputPrivilegeName1.Length = (ushort)((2 * inputPrivilegeName1.Buffer.Length) + 1);
inputPrivilegeName1.MaximumLength = (ushort)(inputPrivilegeName1.Length + 2);
}
else if (stPolicyInformation.PHandle != handleInput)
{
shortClientLanguage = 9;
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName1);
utilities.inValidHandle();
}
else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName))
{
shortClientLanguage = 9;
utilities.nameOfPrivilege(PrivilegeType.NoSuchPrivilege, ref inputPrivilegeName1);
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName1);
shortClientLanguage = 9;
}
else
{
shortClientLanguage = 9;
utilities.nameOfPrivilege(PrivilegeType.Valid, ref inputPrivilegeName1);
}
inputPrivilegeName = inputPrivilegeName1;
uintMethodStatus = lsadClientStack.LsarLookupPrivilegeDisplayName(
PolicyHandle.Value,
inputPrivilegeName,
shortClientLanguage,
shortClientSystemDefaultLanguage,
out outputPrivilegeName,
out ushortLanguageReturned);
displayName = (outputPrivilegeName == null) ? ValidString.Invalid : ValidString.Valid;
if (name == ValidString.Invalid)
{
#region MS-LSAD_R823
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidParameter,
(uint)uintMethodStatus,
"MS-LSAD",
823,
@"In LsarLookupPrivilegeDisplayName method server MUST return STATUS_INVALID_PARAMETER
if One or more of the supplied parameters was invalid.");
#endregion
}
else if (stPolicyInformation.PHandle != handleInput)
{
lsadClientStack.LsarDeleteObject(ref PolicyHandle);
PolicyHandle = utilities.tempPolicyHandle;
#region MS-LSAD_R814
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
814,
@"In LsarLookupPrivilegeDisplayName method,If PolicyHandle is not a valid
context handle to the policy object, the server MUST return STATUS_INVALID_HANDLE.");
#endregion
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
#region MS-LSAD_R815
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
815,
@"In PolicyHandle parameter of LsarLookupPrivilegeDisplayName method ,server MUST verify that the
caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise");
#endregion
}
else if (!htPrivilegeNameNLUID.ContainsValue(privilegeName))
{
#region MS-LSAD_R817
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NoSuchPrivilege,
(uint)uintMethodStatus,
"MS-LSAD",
817,
@"In LsarLookupPrivilegeDisplayName method , If the entry cannot be located,
the server MUST return STATUS_NO_SUCH_PRIVILEGE.");
#endregion
}
else
{
htPrivilegeNameNLUID.Clear();
#region MS-LSAD_R822
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
822,
@"In LsarLookupPrivilegeDisplayName method server MUST return STATUS_SUCCESS
if request is successfully completed.");
#endregion
#region MS-LSAD_R816
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
816,
@"In LsarLookupPrivilegeDisplayName method server MUST locate the entry with the same
name in the data store (RPC_UNICODE_STRING).");
#endregion
#region MS-LSAD_R521
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
821,
@"In LsarLookupPrivilegeDisplayName method , If neither ClientLanguage nor
ClientSystemDefaultLanguage can be found, the server MUST return the description
in the server's own language.");
#endregion
}
return((ErrorStatus)uintMethodStatus);
}
/// <summary>
/// The LookupPrivilegeName method is invoked to map the luid of a privilege
/// into a string name by which it is known on the server.
/// </summary>
/// <param name="handleInput">Contains policy handle obtained from OpenPolicy/OpenPolicy2 </param>
/// <param name="luid">It is for validating the privilege luid passed in </param>
/// <param name="privilegeLuid">Contains privilege luid </param>
/// <param name="privilegeName">Out param contains valid or invalid
/// privilegeName of the passed in privilege luid </param>
/// <returns>Returns Success if the method is successful
/// Returns AccessDenied if the caller does not have the permissions to
/// perform this operation
/// Returns InvalidHandle if the passed in is a valid object handle
/// Returns InvalidParameter if one or more of the supplied parameters was invalid
/// Returns NoSuchPrivilege if the privilege luid is not recognized by the server</returns>
public ErrorStatus LookupPrivilegeName(
int handleInput,
PrivilegeLUID luid,
string privilegeLuid,
out ValidString privilegeName)
{
_RPC_UNICODE_STRING?outputPrivilegeName = new _RPC_UNICODE_STRING();
_RPC_UNICODE_STRING outputComparePrivilegeName = new _RPC_UNICODE_STRING();
_LUID[] inputPrivilegeLUID = new _LUID[1];
Hashtable htPrivilegeNameNLUID = new Hashtable();
string nameOfPrivilege = string.Empty;
char[] charNameOfPrivilege = new char[25];
bool isEqual = false;
nameOfPrivilege = PrivilegeName;
charNameOfPrivilege = nameOfPrivilege.ToCharArray();
outputComparePrivilegeName.Buffer = new ushort[nameOfPrivilege.Length];
Array.Copy(charNameOfPrivilege, outputComparePrivilegeName.Buffer, charNameOfPrivilege.Length);
outputComparePrivilegeName.Length = (ushort)(2 * outputComparePrivilegeName.Buffer.Length);
outputComparePrivilegeName.MaximumLength = (ushort)(outputComparePrivilegeName.Length + 2);
utilities.privilegeInformation(ref htPrivilegeNameNLUID);
if (luid == PrivilegeLUID.Invalid)
{
utilities.valuesOfLUID(PrivilegeLUID.Invalid, ref inputPrivilegeLUID);
inputPrivilegeLUID[0].LowPart = 56;
inputPrivilegeLUID[0].HighPart = 0;
}
else if (stPolicyInformation.PHandle != handleInput)
{
utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID);
utilities.inValidHandle();
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID);
}
else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid))
{
utilities.valuesOfLUID(PrivilegeLUID.NotPresentLuid, ref inputPrivilegeLUID);
}
else
{
utilities.valuesOfLUID(PrivilegeLUID.Valid, ref inputPrivilegeLUID);
}
uintMethodStatus = lsadClientStack.LsarLookupPrivilegeName(
PolicyHandle.Value,
inputPrivilegeLUID[0],
out outputPrivilegeName);
if (outputPrivilegeName != null)
{
isEqual = utilities.CheckTheRpcStrings(outputPrivilegeName.Value, outputComparePrivilegeName);
if (isEqual)
{
privilegeName = ValidString.Valid;
}
else
{
privilegeName = ValidString.Invalid;
}
}
else
{
privilegeName = (outputPrivilegeName == null) ? ValidString.Invalid : ValidString.Valid;
}
if (!(luid == PrivilegeLUID.Invalid))
{
if (stPolicyInformation.PHandle != handleInput)
{
#region MS-LSAD_R809
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.InvalidHandle,
(uint)uintMethodStatus,
"MS-LSAD",
809,
@"In LsarLookupPrivilegeName method ,If PolicyHandle is not a valid context handle to
the policy object, the server MUST return STATUS_INVALID_HANDLE");
#endregion
lsadClientStack.LsarDeleteObject(ref PolicyHandle);
PolicyHandle = utilities.tempPolicyHandle;
}
else if ((uintAccessMask & ACCESS_MASK.POLICY_LOOKUP_NAMES) != ACCESS_MASK.POLICY_LOOKUP_NAMES)
{
#region MS-LSAD_R810
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.AccessDenied,
(uint)uintMethodStatus,
"MS-LSAD",
810,
@"In PolicyHandle parameter of LsarLookupPrivilegeName method, server MUST verify
that the caller has POLICY_LOOKUP_NAMES access and return STATUS_ACCESS_DENIED otherwise.");
#endregion
}
else if (!htPrivilegeNameNLUID.ContainsKey(privilegeLuid))
{
#region MS-LSAD_R811
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.NoSuchPrivilege,
(uint)uintMethodStatus,
"MS-LSAD",
811,
@"In LsarLookupPrivilegeName method,If the LUID in the Value argument is not recognized
by the server, the server MUST fail the request with STATUS_NO_SUCH_PRIVILEGE");
#endregion
}
else
{
htPrivilegeNameNLUID.Clear();
#region MS-LSAD_R813
Site.CaptureRequirementIfAreEqual <uint>(
(uint)ErrorStatus.Success,
(uint)uintMethodStatus,
"MS-LSAD",
813,
@"In LsarLookupPrivilegeName method server MUST return STATUS_SUCCESS
if request is successfully completed.");
#endregion
}
}
return((ErrorStatus)uintMethodStatus);
}
