archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/ds/netapi/netlib/joincrypt.c

595 lines
14 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 1987-1996 Microsoft Corporation
  5. Module Name:
  7. joincrypt.c
  9. Abstract:
  11. Authentication related functions required by netjoin
  13. Author:
  15. kumarp 29-May-1999
  17. Notes:
  18. The functions in this file used to be made avaialbe by
  19. including net\svcdlls\logonsrv\server\ssiauth.c. This led to several
  20. problems due to which, the functions are now copied from that file
  21. into this separate file.
  23. --*/
  26. #pragma hdrstop
  28. #define WKSTA_NETLOGON
  29. #define NETSETUP_JOIN
  31. #include <netsetp.h>
  32. #include <crypt.h>
  33. #include <ntsam.h>
  34. #include <logonmsv.h>
  35. #include <lmshare.h>
  36. #include <wincrypt.h>
  37. #include <netlogon.h>
  38. #include <logonp.h>
  39. #include <logonmsv.h>
  40. #include <ssi.h>
  41. #include <wchar.h>
  42. #include "joinp.h"
  44. HCRYPTPROV NlGlobalCryptProvider = (HCRYPTPROV)NULL;
  47. #define NlPrint(x)
  49. BOOLEAN
  50. NlGenerateRandomBits(
  51. PUCHAR Buffer,
  52. ULONG BufferLen
  53. );
  55. VOID
  56. NlComputeChallenge(
  57. OUT PNETLOGON_CREDENTIAL Challenge
  58. );
  60. VOID
  61. NlComputeCredentials(
  62. IN PNETLOGON_CREDENTIAL Challenge,
  63. OUT PNETLOGON_CREDENTIAL Credential,
  64. IN PNETLOGON_SESSION_KEY SessionKey
  65. );
  69. NTSTATUS
  70. NlMakeSessionKey(
  71. IN ULONG NegotiatedFlags,
  72. IN PNT_OWF_PASSWORD CryptKey,
  73. IN PNETLOGON_CREDENTIAL ClientChallenge,
  74. IN PNETLOGON_CREDENTIAL ServerChallenge,
  75. OUT PNETLOGON_SESSION_KEY SessionKey
  76. )
  77. /*++
  79. Routine Description:
  81. Build an encryption key for use in authentication for
  82. this RequestorName.
  84. Arguments:
  86. NegotiatedFlags - Determines the strength of the key.
  88. CryptKey -- The OWF password of the user account being used.
  90. ClientChallenge -- 8 byte (64 bit) number generated by caller
  92. ServerChallenge -- 8 byte (64 bit) number generated by primary
  94. SessionKey -- 16 byte (128 bit) number generated at both ends
  95. If the key strength is weak, the last 64 bits will be zero.
  97. Return Value:
  99. TRUE: Success
  100. FALSE: Failure
  102. NT status code.
  104. --*/
  105. {
  106. NTSTATUS Status;
  107. BLOCK_KEY BlockKey;
  108. NETLOGON_SESSION_KEY TempSessionKey;
  110. #ifndef NETSETUP_JOIN
  111. PCHECKSUM_BUFFER CheckBuffer = NULL;
  112. PCHECKSUM_FUNCTION Check;
  113. #endif // NETSETUP_JOIN
  115. //
  116. // Start with a zero key
  117. //
  118. RtlZeroMemory(SessionKey, sizeof(NETLOGON_SESSION_KEY));
  120. #ifdef NETSETUP_JOIN
  121. UNREFERENCED_PARAMETER( NegotiatedFlags );
  122. #else // NETSETUP_JOIN
  123. //
  124. // If the caller wants a strong key,
  125. // Compute it.
  126. //
  127. if ( NegotiatedFlags & NETLOGON_SUPPORTS_STRONG_KEY ) {
  129. // PCRYPTO_SYSTEM CryptSystem;
  131. UCHAR LocalChecksum[sizeof(*SessionKey)];
  132. // ULONG OutputSize;
  134. //
  135. // Initialize the checksum routines.
  136. //
  138. Status = CDLocateCheckSum( KERB_CHECKSUM_MD5_HMAC, &Check);
  139. if (!NT_SUCCESS(Status)) {
  140. NlPrint(( NL_CRITICAL,"NlMakeSessionKey: Failed to load checksum routines: 0x%x\n", Status));
  141. goto Cleanup;
  142. }
  144. ASSERT(Check->CheckSumSize <= sizeof(LocalChecksum));
  146. Status = Check->InitializeEx(
  147. (LPBYTE)CryptKey,
  148. sizeof( *CryptKey ),
  149. 0, // no message type
  150. &CheckBuffer );
  152. if (!NT_SUCCESS(Status)) {
  153. NlPrint(( NL_CRITICAL,"NlMakeSessionKey: Failed to initialize checksum routines: 0x%x\n", Status));
  154. goto Cleanup;
  155. }
  158. //
  159. // Sum in the client challenge, a constant, and the server challenge
  160. //
  162. Check->Sum( CheckBuffer,
  163. sizeof(*ClientChallenge),
  164. (PUCHAR)ClientChallenge );
  166. Check->Sum( CheckBuffer,
  167. sizeof(*ServerChallenge),
  168. (PUCHAR)ServerChallenge );
  170. //
  171. // Finish the checksum
  172. //
  174. (void) Check->Finalize(CheckBuffer, LocalChecksum);
  177. //
  178. // Copy the checksum into the message.
  179. //
  181. ASSERT( sizeof(LocalChecksum) >= sizeof(*SessionKey) );
  182. RtlCopyMemory( SessionKey, LocalChecksum, sizeof(*SessionKey) );
  185. //
  186. // Compute weaker (but backward compatible key)
  187. //
  188. } else {
  189. #endif // NETSETUP_JOIN
  191. //
  192. // we will have a 128 bit key (64 bit encrypted rest padded with 0s)
  193. //
  194. // SessionKey = C + P (arithmetic sum ignore carry)
  195. //
  197. *((unsigned long * ) SessionKey) =
  198. *((unsigned long * ) ClientChallenge) +
  199. *((unsigned long * ) ServerChallenge);
  201. *((unsigned long * )((LPBYTE)SessionKey + 4)) =
  202. *((unsigned long * )((LPBYTE)ClientChallenge + 4)) +
  203. *((unsigned long * )((LPBYTE)ServerChallenge + 4));
  206. //
  207. // CryptKey is our 16 byte key to be used as described in codespec
  208. // use first 7 bytes of CryptKey for first encryption
  209. //
  211. RtlCopyMemory( &BlockKey, CryptKey, BLOCK_KEY_LENGTH );
  213. Status = RtlEncryptBlock(
  214. (PCLEAR_BLOCK) SessionKey, // Clear text
  215. &BlockKey, // Key
  216. (PCYPHER_BLOCK) &TempSessionKey); // Cypher Block
  218. if ( !NT_SUCCESS( Status ) ) {
  219. goto Cleanup;
  220. }
  223. //
  224. // Further encrypt the encrypted "SessionKey" using upper 7 bytes
  225. //
  227. ASSERT( LM_OWF_PASSWORD_LENGTH == 2*BLOCK_KEY_LENGTH+2 );
  229. RtlCopyMemory( &BlockKey,
  230. ((PUCHAR)CryptKey) + 2 + BLOCK_KEY_LENGTH,
  231. BLOCK_KEY_LENGTH );
  233. Status = RtlEncryptBlock(
  234. (PCLEAR_BLOCK) &TempSessionKey, // Clear text
  235. &BlockKey, // Key
  236. (PCYPHER_BLOCK) SessionKey); // Cypher Block
  238. if ( !NT_SUCCESS( Status ) ) {
  239. goto Cleanup;
  240. }
  241. #ifndef NETSETUP_JOIN
  242. }
  243. #endif // NETSETUP_JOIN
  245. Cleanup:
  246. #ifndef NETSETUP_JOIN
  247. if (CheckBuffer != NULL) {
  248. Status = Check->Finish(&CheckBuffer);
  250. if (!NT_SUCCESS(Status)) {
  251. NlPrint(( NL_CRITICAL,"NlMakeSessionKey: Failed to finish checksum: 0x%x\n", Status));
  252. }
  253. }
  254. #endif // NETSETUP_JOIN
  256. return Status;
  257. }
  260. VOID
  261. NlComputeChallenge(
  262. OUT PNETLOGON_CREDENTIAL Challenge
  263. )
  265. /*++
  267. Routine Description:
  269. Generates a 64 bit challenge
  271. Arguments:
  273. Challenge - Returns the computed challenge
  275. Return Value:
  277. None.
  279. --*/
  280. {
  282. //
  283. // Use an ideal random bit generator.
  284. //
  286. if (!NlGenerateRandomBits( (LPBYTE)Challenge, sizeof(*Challenge) )) {
  287. NlPrint((NL_CRITICAL, "Can't NlGenerateRandomBits\n" ));
  288. }
  290. return;
  291. }
  293. VOID
  294. NlComputeCredentials(
  295. IN PNETLOGON_CREDENTIAL Challenge,
  296. OUT PNETLOGON_CREDENTIAL Credential,
  297. IN PNETLOGON_SESSION_KEY SessionKey
  298. )
  299. /*++
  301. Routine Description:
  303. Calculate the credentials by encrypting the 8 byte
  304. challenge with first 7 bytes of sessionkey and then
  305. further encrypting it by next 7 bytes of sessionkey.
  307. Arguments:
  309. Challenge - Supplies the 8 byte (64 bit) challenge
  311. Credential - Returns the 8 byte (64 bit) number generated
  313. SessionKey - Supplies 14 byte (112 bit) encryption key
  314. The buffer is 16 bytes (128 bits) long. For a weak key, the trailing 8 bytes
  315. are zero. For a strong key, this routine ingored that trailing 2 bytes of
  316. useful key.
  318. Return Value:
  320. NONE
  322. --*/
  323. {
  324. NTSTATUS Status;
  325. BLOCK_KEY BlockKey;
  326. CYPHER_BLOCK IntermediateBlock;
  328. RtlZeroMemory(Credential, sizeof(*Credential));
  330. //
  331. // use first 7 bytes of SessionKey for first encryption
  332. //
  334. RtlCopyMemory( &BlockKey, SessionKey, BLOCK_KEY_LENGTH );
  336. Status = RtlEncryptBlock( (PCLEAR_BLOCK) Challenge, // Cleartext
  337. &BlockKey, // Key
  338. &IntermediateBlock ); // Cypher Block
  340. ASSERT( NT_SUCCESS(Status) );
  342. //
  343. // further encrypt the encrypted Credential using next 7 bytes
  344. //
  346. RtlCopyMemory( &BlockKey,
  347. ((PUCHAR)SessionKey) + BLOCK_KEY_LENGTH,
  348. BLOCK_KEY_LENGTH );
  350. Status = RtlEncryptBlock( (PCLEAR_BLOCK) &IntermediateBlock, // Cleartext
  351. &BlockKey, // Key
  352. Credential ); // Cypher Block
  354. ASSERT( NT_SUCCESS(Status) );
  356. return;
  358. }
  360. BOOLEAN
  361. NlGenerateRandomBits(
  362. PUCHAR Buffer,
  363. ULONG BufferLen
  364. )
  365. /*++
  367. Routine Description:
  369. Generates random bits
  371. Arguments:
  373. pBuffer - Buffer to fill
  375. cbBuffer - Number of bytes in buffer
  377. Return Value:
  379. Status of the operation.
  381. --*/
  383. {
  384. if( !CryptGenRandom( NlGlobalCryptProvider, BufferLen, ( LPBYTE )Buffer ) )
  385. {
  386. NlPrint((NL_CRITICAL, "CryptGenRandom failed with %lu\n", GetLastError() ));
  387. return FALSE;
  388. }
  390. return TRUE;
  391. }
  395. NET_API_STATUS
  396. NET_API_FUNCTION
  397. NetpValidateMachineAccount(
  398. IN LPWSTR lpDc,
  399. IN LPWSTR lpDomain,
  400. IN LPWSTR lpMachine,
  401. IN LPWSTR lpPassword
  402. )
  403. /*++
  405. Routine Description:
  407. Performs validation that the machine account exists and has the same password we expect
  409. The internals of this function were lifted completely from SimulateFullSync() in
  410. ..\svcdlls\logonsrv\server\nltest.c,
  412. Arguments:
  414. lpDc -- Name of the Dc
  415. lpDomain -- Name of the domain
  416. lpMachine -- Current machine (Netbios name)
  417. lpPassword -- Password that should be on the account.
  420. Returns:
  422. NERR_Success -- Success
  424. --*/
  425. {
  426. NTSTATUS Status = STATUS_SUCCESS;
  428. NETLOGON_CREDENTIAL ServerChallenge;
  429. NETLOGON_CREDENTIAL ClientChallenge;
  430. NETLOGON_CREDENTIAL ComputedServerCredential;
  431. NETLOGON_CREDENTIAL ReturnedServerCredential;
  432. NETLOGON_CREDENTIAL AuthenticationSeed;
  433. NETLOGON_SESSION_KEY SessionKey;
  434. WCHAR AccountName[SSI_ACCOUNT_NAME_LENGTH+1];
  435. UNICODE_STRING Password;
  436. NT_OWF_PASSWORD NtOwfPassword;
  438. UNREFERENCED_PARAMETER( lpDomain );
  440. ASSERT( lpPassword );
  442. //
  443. // Validate the machine name length to avoid buffer overrun
  444. //
  446. if ( lpMachine == NULL || wcslen(lpMachine) > CNLEN ) {
  447. return ERROR_INVALID_PARAMETER;
  448. }
  450. //
  451. // initialize Crypto Provider.
  452. // (required for NlComputeChallenge).
  453. //
  455. if ( !CryptAcquireContext(
  456. &NlGlobalCryptProvider,
  457. NULL,
  458. NULL,
  459. PROV_RSA_FULL,
  460. CRYPT_VERIFYCONTEXT
  461. ))
  462. {
  463. NlGlobalCryptProvider = (HCRYPTPROV)NULL;
  464. return (NET_API_STATUS)GetLastError();
  465. }
  467. //
  468. // Prepare our challenge
  469. //
  471. NlComputeChallenge( &ClientChallenge );
  473. //
  474. // free cryptographic service provider.
  475. //
  476. if ( NlGlobalCryptProvider ) {
  477. CryptReleaseContext( NlGlobalCryptProvider, 0 );
  478. NlGlobalCryptProvider = (HCRYPTPROV)NULL;
  479. }
  482. //
  483. // Get the primary's challenge
  484. //
  486. Status = I_NetServerReqChallenge(lpDc,
  487. lpMachine,
  488. &ClientChallenge,
  489. &ServerChallenge );
  491. if ( !NT_SUCCESS( Status ) ) {
  493. goto ValidateMachineAccountError;
  494. }
  497. Password.Length = Password.MaximumLength = wcslen(lpPassword) * sizeof(WCHAR);
  498. Password.Buffer = lpPassword;
  500. //
  501. // Compute the NT OWF password for this user.
  502. //
  504. Status = RtlCalculateNtOwfPassword( &Password, &NtOwfPassword );
  506. if ( !NT_SUCCESS( Status ) ) {
  508. goto ValidateMachineAccountError;
  510. }
  513. //
  514. // Actually compute the session key given the two challenges and the
  515. // password.
  516. //
  518. NlMakeSessionKey(
  519. #if(_WIN32_WINNT >= 0x0500)
  520. 0,
  521. #endif
  522. &NtOwfPassword,
  523. &ClientChallenge,
  524. &ServerChallenge,
  525. &SessionKey );
  527. //
  528. // Prepare credentials using our challenge.
  529. //
  531. NlComputeCredentials( &ClientChallenge,
  532. &AuthenticationSeed,
  533. &SessionKey );
  535. //
  536. // Send these credentials to primary. The primary will compute
  537. // credentials using the challenge supplied by us and compare
  538. // with these. If both match then it will compute credentials
  539. // using its challenge and return it to us for verification
  540. //
  542. wcscpy( AccountName, lpMachine );
  543. wcscat( AccountName, SSI_ACCOUNT_NAME_POSTFIX);
  545. Status = I_NetServerAuthenticate( lpDc,
  546. AccountName,
  547. WorkstationSecureChannel,
  548. lpMachine,
  549. &AuthenticationSeed,
  550. &ReturnedServerCredential );
  552. if ( !NT_SUCCESS( Status ) ) {
  554. goto ValidateMachineAccountError;
  556. }
  559. //
  560. // The DC returned a server credential to us,
  561. // ensure the server credential matches the one we would compute.
  562. //
  564. NlComputeCredentials( &ServerChallenge,
  565. &ComputedServerCredential,
  566. &SessionKey);
  569. if (RtlCompareMemory( &ReturnedServerCredential,
  570. &ComputedServerCredential,
  571. sizeof(ReturnedServerCredential)) !=
  572. sizeof(ReturnedServerCredential)) {
  574. Status = STATUS_ACCESS_DENIED;
  575. }
  578. ValidateMachineAccountError:
  580. if ( Status == STATUS_ACCESS_DENIED ) {
  582. Status = STATUS_LOGON_FAILURE;
  583. }
  585. if ( !NT_SUCCESS( Status ) ) {
  587. NetpLog(( "Failed to validate machine account for %ws against %ws: 0x%lx\n",
  588. lpMachine, lpDc, Status ));
  589. }
  593. return( RtlNtStatusToDosError( Status ) );
  594. }