archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/base/fs/rdr2/rdbss/smb.mrx/rdrssp/secret.c

552 lines
12 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1991 Microsoft Corporation
  5. Module Name:
  7. secret.c
  9. Abstract:
  11. This module contains the code to read and write secrets from disk.
  13. Author:
  15. Adam Barr (adamba) 13-June-1997
  17. Revision History:
  19. Adam Barr (adamba) 29-December-1997
  20. Modified from private\ntos\boot\lib\blsecret.c.
  22. --*/
  24. #include <rdrssp.h>
  25. #include <rc4.h>
  26. #include <wcstr.h>
  28. #if defined(REMOTE_BOOT)
  30. #if 0
  31. VOID
  32. RdrpDumpSector(
  33. PUCHAR Sector
  34. )
  35. {
  36. int i, j;
  38. PUCHAR SectorChar = (PUCHAR)Sector;
  40. for (i = 0; i < 512; i+= 16) {
  42. for (j = 0; j < 16; j++) {
  43. DbgPrint("%2.2x ", SectorChar[i + j]);
  44. }
  45. DbgPrint(" ");
  46. for (j = 0; j < 16; j++) {
  47. if ((SectorChar[i+j] >= ' ') && (SectorChar[i+j] < '~')) {
  48. DbgPrint("%c", SectorChar[i+j]);
  49. } else {
  50. DbgPrint(".");
  51. }
  52. }
  53. DbgPrint("\n");
  54. }
  55. }
  56. #endif
  59. NTSTATUS
  60. RdrOpenRawDisk(
  61. PHANDLE Handle
  62. )
  64. /*++
  66. Routine Description:
  68. This routine opens the raw disk for read/write.
  70. Arguments:
  72. Handle - returns the Handle if successful, for use in subsequent calls.
  74. Return Value:
  76. The status return from the ZwOpenFile.
  78. --*/
  80. {
  81. NTSTATUS status;
  82. OBJECT_ATTRIBUTES objectAttributes;
  83. UNICODE_STRING physicalDriveString;
  84. IO_STATUS_BLOCK ioStatus;
  86. RtlInitUnicodeString(&physicalDriveString, L"\\Device\\Harddisk0\\Partition0");
  88. InitializeObjectAttributes(
  89. &objectAttributes,
  90. &physicalDriveString,
  91. OBJ_CASE_INSENSITIVE,
  92. NULL,
  93. NULL);
  95. status = ZwOpenFile(
  96. Handle,
  97. FILE_READ_DATA | FILE_WRITE_DATA | SYNCHRONIZE,
  98. &objectAttributes,
  99. &ioStatus,
  100. FILE_SHARE_READ | FILE_SHARE_WRITE,
  101. FILE_SYNCHRONOUS_IO_NONALERT);
  103. if ((!NT_SUCCESS(status)) || (!NT_SUCCESS(ioStatus.Status))) {
  105. KdPrint(("RdrOpenRawDisk: status on ZwOpenFile: %x, %x\n", status, ioStatus.Status));
  106. if (NT_SUCCESS(status)) {
  107. status = ioStatus.Status;
  108. }
  110. }
  112. return status;
  114. }
  117. NTSTATUS
  118. RdrCloseRawDisk(
  119. HANDLE Handle
  120. )
  122. /*++
  124. Routine Description:
  126. This routine closes the raw disk.
  128. Arguments:
  130. Handle - The Handle returned by RdrOpenRawDisk.
  132. Return Value:
  134. The status return from the ZwClose.
  136. --*/
  138. {
  140. return ZwClose(Handle);
  142. }
  145. NTSTATUS
  146. RdrCheckForFreeSectors (
  147. HANDLE Handle
  148. )
  150. /*++
  152. Routine Description:
  154. This routine makes sure that the MBR looks correct and that there
  155. is nothing installed (OnTrack or EZ-Drive need to detect
  156. NT fault-tolerance also) that would prevent us from using the third
  157. sector for storing the password secret.
  159. Arguments:
  161. Handle - The Handle returned by RdrOpenRawDisk.
  163. Return Value:
  165. ESUCCESS if the disk is OK, or an error.
  167. --*/
  169. {
  171. NTSTATUS status;
  172. USHORT Sector[256];
  173. ULONG BytesRead;
  174. PPARTITION_DESCRIPTOR Partition;
  175. LARGE_INTEGER SeekPosition;
  176. IO_STATUS_BLOCK ioStatus;
  179. SeekPosition.QuadPart = 0;
  181. //
  182. // Read the MBR at the start of the disk.
  183. //
  185. status = ZwReadFile(
  186. Handle,
  187. NULL,
  188. NULL,
  189. NULL,
  190. &ioStatus,
  191. Sector,
  192. 512,
  193. &SeekPosition,
  194. NULL);
  196. if ((!NT_SUCCESS(status)) || (!NT_SUCCESS(ioStatus.Status))) {
  198. KdPrint(("RdrCheckForFreeSectors: status on ZwReadFile: %x, %x\n", status, ioStatus.Status));
  199. if (NT_SUCCESS(status)) {
  200. status = ioStatus.Status;
  201. }
  202. return status;
  204. }
  206. #if 0
  207. RdrpDumpSector((PUCHAR)Sector);
  208. #endif
  210. //
  211. // Make sure the signature is OK, and that the type of partition
  212. // 0 is not 0x54 (OnTrack) or 0x55 (EZ-Drive).
  213. //
  215. if (Sector[BOOT_SIGNATURE_OFFSET] != BOOT_RECORD_SIGNATURE) {
  217. KdPrint(("RdrCheckForFreeSectors: Boot record signature %x not found (%x found)\n",
  218. BOOT_RECORD_SIGNATURE,
  219. Sector[BOOT_SIGNATURE_OFFSET] ));
  220. return STATUS_INVALID_PARAMETER;
  221. }
  223. Partition = (PPARTITION_DESCRIPTOR)&Sector[PARTITION_TABLE_OFFSET];
  225. if ((Partition->PartitionType == 0x54) ||
  226. (Partition->PartitionType == 0x55)) {
  228. KdPrint(("RdrCheckForFreeSectors: First partition has type %x, exiting\n", Partition->PartitionType));
  229. return STATUS_INVALID_PARAMETER;
  230. }
  232. KdPrint(("RdrCheckForFreeSectors: Partition type is %d\n", Partition->PartitionType));
  234. return STATUS_SUCCESS;
  236. }
  239. NTSTATUS
  240. RdrReadSecret(
  241. HANDLE Handle,
  242. PRI_SECRET Secret
  243. )
  245. /*++
  247. Routine Description:
  249. This routine reads the secret from the disk, if present.
  251. Arguments:
  253. Handle - The Handle returned by RdrOpenRawDisk.
  255. Return Value:
  257. ESUCCESS if the secret is OK, an error otherwise.
  259. --*/
  261. {
  263. NTSTATUS status;
  264. ULONG BytesRead;
  265. LARGE_INTEGER SeekPosition;
  266. IO_STATUS_BLOCK ioStatus;
  267. UCHAR Sector[512];
  270. //
  271. // Seek to the third sector.
  273. // DEADISSUE 08/08/2000 -- this is in an #ifdef REMOTE_BOOT block,
  274. // which is dead code, left here in case it is ever resuurected:
  275. // I am pretty sure we can assume that the first disk has 512-byte sectors.
  276. //
  278. SeekPosition.QuadPart = 2 * 512;
  280. //
  281. // Read a full sector. The secret is at the beginning.
  282. //
  284. status = ZwReadFile(
  285. Handle,
  286. NULL,
  287. NULL,
  288. NULL,
  289. &ioStatus,
  290. Sector,
  291. 512,
  292. &SeekPosition,
  293. NULL);
  295. if ((!NT_SUCCESS(status)) || (!NT_SUCCESS(ioStatus.Status))) {
  297. KdPrint(("RdrReadSecret: status on ZwReadFile: %x, %x\n", status, ioStatus.Status));
  298. if (NT_SUCCESS(status)) {
  299. status = ioStatus.Status;
  300. }
  301. return status;
  303. }
  305. RtlMoveMemory(Secret, Sector, sizeof(RI_SECRET));
  307. if (memcmp(Secret->Signature, RI_SECRET_SIGNATURE, 4) != 0) {
  309. KdPrint(("RdrReadSecret: No signature found\n"));
  310. return STATUS_INVALID_PARAMETER;
  311. }
  313. return STATUS_SUCCESS;
  315. }
  319. NTSTATUS
  320. RdrWriteSecret(
  321. HANDLE Handle,
  322. PRI_SECRET Secret
  323. )
  325. /*++
  327. Routine Description:
  329. This routine writes the secret to the disk.
  331. Arguments:
  333. Handle - The Handle returned by RdrOpenRawDisk.
  335. Return Value:
  337. ESUCCESS if the secret is written OK, an error otherwise.
  339. --*/
  341. {
  343. NTSTATUS status;
  344. ULONG BytesWritten;
  345. LARGE_INTEGER SeekPosition;
  346. IO_STATUS_BLOCK ioStatus;
  347. UCHAR Sector[512];
  350. //
  351. // Seek to the third sector.
  352. //
  354. SeekPosition.QuadPart = 2 * 512;
  356. //
  357. // Copy the secret to a full sector since the raw disk requires
  358. // reads/writes in sector multiples.
  359. //
  361. RtlZeroMemory(Sector, sizeof(Sector));
  362. RtlMoveMemory(Sector, Secret, sizeof(RI_SECRET));
  364. //
  365. // Write a secret-sized chunk.
  366. //
  368. status = ZwWriteFile(
  369. Handle,
  370. NULL,
  371. NULL,
  372. NULL,
  373. &ioStatus,
  374. Sector,
  375. 512,
  376. &SeekPosition,
  377. NULL);
  379. if ((!NT_SUCCESS(status)) || (!NT_SUCCESS(ioStatus.Status))) {
  381. KdPrint(("RdrWriteSecret: status on ZwWriteFile: %x, %x\n", status, ioStatus.Status));
  382. if (NT_SUCCESS(status)) {
  383. status = ioStatus.Status;
  384. }
  385. return status;
  387. }
  389. return STATUS_SUCCESS;
  391. }
  395. VOID
  396. RdrInitializeSecret(
  397. IN PUCHAR Domain,
  398. IN PUCHAR User,
  399. IN PUCHAR LmOwfPassword1,
  400. IN PUCHAR NtOwfPassword1,
  401. IN PUCHAR LmOwfPassword2 OPTIONAL,
  402. IN PUCHAR NtOwfPassword2 OPTIONAL,
  403. IN PUCHAR Sid,
  404. IN OUT PRI_SECRET Secret
  405. )
  406. {
  407. int Length;
  408. int i;
  409. struct RC4_KEYSTRUCT Key;
  411. memset(Secret, 0, sizeof(RI_SECRET));
  413. memcpy(Secret->Signature, RI_SECRET_SIGNATURE, 4);
  414. Secret->Version = 1;
  416. Length = strlen(Domain);
  417. memcpy(Secret->Domain, Domain, Length);
  419. Length = strlen(User);
  420. memcpy(Secret->User, User, Length);
  422. memcpy(Secret->Sid, Sid, RI_SECRET_SID_SIZE);
  424. //
  425. // Encrypt the passwords using the user name.
  426. //
  428. #ifdef RDR_USE_LM_PASSWORD
  429. memcpy(Secret->LmEncryptedPassword1, LmOwfPassword1, LM_OWF_PASSWORD_SIZE);
  430. rc4_key(&Key, strlen(User), User);
  431. rc4(&Key, LM_OWF_PASSWORD_SIZE, Secret->LmEncryptedPassword1);
  433. if (LmOwfPassword2 != NULL) {
  434. memcpy(Secret->LmEncryptedPassword2, LmOwfPassword2, LM_OWF_PASSWORD_SIZE);
  435. rc4_key(&Key, strlen(User), User);
  436. rc4(&Key, LM_OWF_PASSWORD_SIZE, Secret->LmEncryptedPassword2);
  437. }
  438. #endif
  440. memcpy(Secret->NtEncryptedPassword1, NtOwfPassword1, NT_OWF_PASSWORD_SIZE);
  441. rc4_key(&Key, strlen(User), User);
  442. rc4(&Key, NT_OWF_PASSWORD_SIZE, Secret->NtEncryptedPassword1);
  444. if (NtOwfPassword2 != NULL) {
  445. memcpy(Secret->NtEncryptedPassword2, NtOwfPassword2, NT_OWF_PASSWORD_SIZE);
  446. rc4_key(&Key, strlen(User), User);
  447. rc4(&Key, NT_OWF_PASSWORD_SIZE, Secret->NtEncryptedPassword2);
  448. }
  450. }
  451. #endif // defined(REMOTE_BOOT)
  455. VOID
  456. RdrParseSecret(
  457. IN OUT PUCHAR Domain,
  458. IN OUT PUCHAR User,
  459. IN OUT PUCHAR LmOwfPassword1,
  460. IN OUT PUCHAR NtOwfPassword1,
  461. #if defined(REMOTE_BOOT)
  462. IN OUT PUCHAR LmOwfPassword2,
  463. IN OUT PUCHAR NtOwfPassword2,
  464. #endif // defined(REMOTE_BOOT)
  465. IN OUT PUCHAR Sid,
  466. IN PRI_SECRET Secret
  467. )
  468. {
  469. struct RC4_KEYSTRUCT Key;
  471. memcpy(Domain, Secret->Domain, RI_SECRET_DOMAIN_SIZE);
  472. Domain[RI_SECRET_DOMAIN_SIZE] = '\0';
  474. memcpy(User, Secret->User, RI_SECRET_USER_SIZE);
  475. User[RI_SECRET_USER_SIZE] = '\0';
  477. memcpy(Sid, Secret->Sid, RI_SECRET_SID_SIZE);
  479. //
  480. // Decrypt the passwords using the user name.
  481. //
  483. #ifdef RDR_USE_LM_PASSWORD
  484. memcpy(LmOwfPassword1, Secret->LmEncryptedPassword1, LM_OWF_PASSWORD_SIZE);
  485. rc4_key(&Key, strlen(User), User);
  486. rc4(&Key, LM_OWF_PASSWORD_SIZE, LmOwfPassword1);
  488. #if defined(REMOTE_BOOT)
  489. memcpy(LmOwfPassword2, Secret->LmEncryptedPassword2, LM_OWF_PASSWORD_SIZE);
  490. rc4_key(&Key, strlen(User), User);
  491. rc4(&Key, LM_OWF_PASSWORD_SIZE, LmOwfPassword2);
  492. #endif // defined(REMOTE_BOOT)
  493. #else
  494. memset(LmOwfPassword1, 0, LM_OWF_PASSWORD_SIZE);
  495. #if defined(REMOTE_BOOT)
  496. memset(LmOwfPassword2, 0, LM_OWF_PASSWORD_SIZE);
  497. #endif // defined(REMOTE_BOOT)
  498. #endif
  500. memcpy(NtOwfPassword1, Secret->NtEncryptedPassword1, NT_OWF_PASSWORD_SIZE);
  501. rc4_key(&Key, strlen(User), User);
  502. rc4(&Key, NT_OWF_PASSWORD_SIZE, NtOwfPassword1);
  504. #if defined(REMOTE_BOOT)
  505. memcpy(NtOwfPassword2, Secret->NtEncryptedPassword2, NT_OWF_PASSWORD_SIZE);
  506. rc4_key(&Key, strlen(User), User);
  507. rc4(&Key, NT_OWF_PASSWORD_SIZE, NtOwfPassword2);
  508. #endif // defined(REMOTE_BOOT)
  510. }
  514. #if defined(REMOTE_BOOT)
  515. VOID
  516. RdrOwfPassword(
  517. IN PUNICODE_STRING Password,
  518. IN OUT PUCHAR LmOwfPassword,
  519. IN OUT PUCHAR NtOwfPassword
  520. )
  521. {
  522. char TmpText[CLEAR_BLOCK_LENGTH*2];
  523. char TmpChar;
  524. int Length;
  525. int i;
  527. #ifdef RDR_USE_LM_PASSWORD
  528. Length = Password.Length / sizeof(WCHAR);
  530. //
  531. // Convert the password to an upper-case ANSI buffer.
  532. //
  534. if (Length == 0) {
  535. TmpText[0] = '\0';
  536. } else {
  537. for (i = 0; i <= Length; i++) {
  538. wctomb(&TmpChar, Password.Buffer[i]);
  539. TmpText[i] = toupper(TmpChar);
  540. }
  541. }
  543. RtlCalculateLmOwfPassword((PLM_PASSWORD)TmpText, (PLM_OWF_PASSWORD)LmOwfPassword);
  544. #else
  545. memset(LmOwfPassword, 0, LM_OWF_PASSWORD_SIZE);
  546. #endif
  548. RtlCalculateNtOwfPassword(Password, (PNT_OWF_PASSWORD)NtOwfPassword);
  550. RtlSecureZeroMemory(TmpText, sizeof(TmpText));
  551. }
  552. #endif // defined(REMOTE_BOOT)