archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/ds/security/tools/ksetup/support.cxx

672 lines
16 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. SUPPORT.CXX
  5. Copyright (C) 1999 Microsoft Corporation, all rights reserved.
  7. DESCRIPTION: support functions for ktpass
  9. Created, May 21, 1999 by DavidCHR.
  11. CONTENTS: ReadRegistryStrings
  13. --*/
  15. #include "everything.hxx"
  17. NTSTATUS
  18. OpenLsa( VOID )
  19. {
  20. OBJECT_ATTRIBUTES oa;
  21. NTSTATUS Status;
  22. UNICODE_STRING ServerString;
  24. RtlInitUnicodeString(
  25. &ServerString,
  26. ServerName
  27. );
  29. InitializeObjectAttributes(&oa,NULL,0,NULL,NULL);
  31. Status = LsaOpenPolicy(&ServerString,&oa,MAXIMUM_ALLOWED,&LsaHandle);
  32. return(Status);
  33. }
  35. NTSTATUS
  36. OpenLocalLsa( OUT PLSA_HANDLE phLsa ) {
  38. static LSA_HANDLE hLsa = NULL;
  39. NTSTATUS N = STATUS_SUCCESS;
  41. if ( !hLsa ) {
  43. N = LsaConnectUntrusted( &hLsa );
  45. if ( !NT_SUCCESS( N ) ) {
  47. printf( "Failed to connect to the local LSA: 0x%x\n",
  48. N );
  50. }
  52. }
  54. if ( NT_SUCCESS( N ) ) {
  56. *phLsa = hLsa;
  58. } else {
  60. hLsa = NULL;
  62. }
  64. return N;
  66. }
  71. /*++**************************************************************
  72. NAME: ReadActualPassword
  74. convenience routine for reading the password for a particular
  75. account. Disables command line echo for the duration.
  77. MODIFIES: Password -- receives the new password
  79. TAKES: Description -- descriptive string to insert
  80. into prompts and error messages.
  81. flags -- see everything.h:
  82. PROMPT_USING_POSSESSIVE_CASE
  83. PROMPT_FOR_PASSWORD_TWICE
  85. RETURNS: TRUE when the function succeeds.
  86. FALSE otherwise.
  87. LASTERROR: not set
  89. LOGGING: printf on failure
  90. CREATED: Apr 7, 1999
  91. LOCKING: none
  92. CALLED BY: anyone
  93. FREE WITH: n/a -- no resources are allocated
  95. CONTENTS: CallAuthPackage
  97. **************************************************************--*/
  99. BOOL
  100. ReadActualPassword( IN LPWSTR Description,
  101. IN ULONG flags,
  102. IN ULONG PasswordLength,
  103. OUT LPWSTR Password ) {
  105. HANDLE hConsole;
  106. DWORD dwMode;
  107. BOOL ret = FALSE;
  108. ULONG Length;
  109. WCHAR TempPassword[ MAX_PASSWD_LEN ];
  110. ULONG i;
  112. hConsole = GetStdHandle( STD_INPUT_HANDLE );
  114. if ( hConsole ) {
  116. // get the old console settings.
  118. if ( GetConsoleMode( hConsole,
  119. &dwMode ) ) {
  121. // now turn off typing echo
  123. if ( SetConsoleMode( hConsole,
  124. dwMode &~ ENABLE_ECHO_INPUT ) ) {
  126. fprintf( stderr,
  127. ( flags & PROMPT_USING_POSSESSIVE_CASE ) ?
  128. "Enter password for %ws: " :
  129. "Enter %ws password: ",
  130. Description );
  132. if ( !fgetws( Password, PasswordLength, stdin ) ) {
  134. fprintf( stderr,
  135. "EOF on input. Aborted.\n" );
  137. goto restoreConsoleMode;
  138. }
  140. for ( i = 0; i < PasswordLength; i++ )
  141. {
  142. if ( Password[i] == L'\n' )
  143. {
  144. Password[i] = L'\0';
  145. break;
  146. }
  147. }
  149. if ( flags & PROMPT_FOR_PASSWORD_TWICE ) {
  151. fprintf( stderr,
  152. "\nNow re-enter password to confirm: " );
  154. if ( !fgetws( TempPassword, MAX_PASSWD_LEN, stdin ) ) {
  156. fprintf( stderr,
  157. "EOF on input. Aborted.\n" );
  159. goto restoreConsoleMode;
  161. }
  163. for ( i = 0; i < MAX_PASSWD_LEN; i++ )
  164. {
  165. if ( TempPassword[i] == L'\n' )
  166. {
  167. TempPassword[i] = L'\0';
  168. break;
  169. }
  170. }
  171. }
  173. fprintf( stderr,
  174. "\n" );
  176. if ( flags & PROMPT_FOR_PASSWORD_TWICE ) {
  178. // verify that the two passwords are the same.
  180. if ( wcscmp( Password,
  181. TempPassword ) == 0 ) {
  183. ret = TRUE;
  185. } else {
  187. fprintf( stderr,
  188. "Passwords do not match.\n" );
  190. }
  192. } else {
  194. ret = TRUE;
  196. }
  198. restoreConsoleMode:
  199. // restore echo
  201. SetConsoleMode( hConsole,
  202. dwMode );
  205. } else {
  207. fprintf( stderr,
  208. "Failed to disable line echo for password entry of %ws: 0x%x.\n",
  209. Description,
  210. GetLastError() );
  212. }
  213. } else {
  215. fprintf( stderr,
  216. "Failed to retrieve current console settings: 0x%x\n",
  217. GetLastError() );
  219. }
  221. } else {
  223. fprintf( stderr,
  224. "Failed to obtain console handle so we could disable line input echo: 0x%x\n",
  225. GetLastError() );
  227. }
  229. SecureZeroMemory( TempPassword, sizeof( TempPassword ));
  231. return ret;
  233. }
  235. /*++**************************************************************
  236. NAME: ReadOptionallyStarredPassword
  238. if the given password is "*", read a new password from stdin.
  239. Otherwise, return the given password.
  241. MODIFIES: pPassword -- receives the real password
  243. TAKES: Password -- password to check for *
  244. Description, flags -- as ReadActualPassword
  246. RETURNS: TRUE when the function succeeds.
  247. FALSE otherwise.
  248. LASTERROR: not set
  250. LOGGING: printf on failure
  251. CREATED: Apr 7, 1999
  252. LOCKING: none
  253. CALLED BY: anyone
  254. FREE WITH: free()
  256. **************************************************************--*/
  258. BOOL
  259. ReadOptionallyStarredPassword( IN LPWSTR InPassword,
  260. IN ULONG flags,
  261. IN LPWSTR Description,
  262. OUT LPWSTR *pPassword ) {
  264. ULONG Length;
  265. LPWSTR OutPass;
  266. BOOL ReadPass;
  267. BOOL ret = FALSE;
  269. Length = lstrlenW( InPassword );
  271. if ( ( 1 == Length ) &&
  272. ( L'*' == InPassword[ 0 ] ) ) {
  274. ReadPass = TRUE;
  275. Length = MAX_PASSWD_LEN;
  277. } else {
  279. ReadPass = FALSE;
  281. }
  283. Length++; // null character
  284. Length *= sizeof( WCHAR );
  286. OutPass = (LPWSTR) malloc( Length );
  288. if ( OutPass != NULL ) {
  290. if ( ReadPass ) {
  292. ret = ReadActualPassword( Description,
  293. flags,
  294. Length / sizeof( WCHAR ),
  295. OutPass );
  297. } else {
  299. lstrcpyW( OutPass,
  300. InPassword );
  302. ret = TRUE;
  304. }
  306. if ( ret ) {
  308. *pPassword = OutPass;
  310. } else {
  312. SecureZeroMemory( OutPass, Length );
  313. free( OutPass );
  315. }
  316. } else {
  318. fprintf( stderr,
  319. "Failed to allocate memory for %ws password.\n",
  320. Description );
  321. }
  323. return ret;
  324. }
  326. /*++**************************************************************
  327. NAME: CallAuthPackage
  329. convenience routine to centralize calls to LsaCallAuthentication
  330. Package.
  332. MODIFIES: ppvOutput -- data returned by LsaCallAuthPackage
  333. pulOutputSize -- returned size of that buffer
  335. TAKES: pvData -- submission data for that same api
  336. ulInputSize -- sizeof the given buffer
  338. RETURNS: a status code indicating success or failure
  339. LOGGING: none
  340. CREATED: Apr 13, 1999
  341. LOCKING: none
  342. CALLED BY: anyone, most notably ChangeViaKpasswd
  343. FREE WITH: ppvOutput with LsaFreeReturnBuffer
  345. **************************************************************--*/
  347. NTSTATUS
  348. CallAuthPackage( IN PVOID pvData,
  349. IN ULONG ulInputSize,
  350. OUT PVOID *ppvOutput,
  351. OUT PULONG pulOutputSize ) {
  353. // These are globals that are specific to this function.
  355. static STRING Name = { 0 };
  356. static ULONG PackageId = 0;
  357. static BOOL NameSetup = FALSE;
  358. LSA_HANDLE hLsa;
  359. NTSTATUS N;
  361. if ( NT_SUCCESS( N = OpenLocalLsa( &hLsa ) ) ) {
  363. if ( !NameSetup ) {
  365. RtlInitString( &Name,
  366. MICROSOFT_KERBEROS_NAME_A );
  368. N = LsaLookupAuthenticationPackage( hLsa,
  369. &Name,
  370. &PackageId );
  372. NameSetup = NT_SUCCESS( N );
  374. }
  376. if ( NT_SUCCESS( N ) ) {
  378. NTSTATUS SubStatus;
  380. N = LsaCallAuthenticationPackage( hLsa,
  381. PackageId,
  382. pvData,
  383. ulInputSize,
  384. ppvOutput,
  385. pulOutputSize,
  386. &SubStatus );
  388. if ( !NT_SUCCESS( N ) ||
  389. !NT_SUCCESS( SubStatus ) ) {
  391. printf( "CallAuthPackage failed, status 0x%x, substatus 0x%x.\n",
  392. N, SubStatus );
  394. }
  396. if ( NT_SUCCESS( N ) ) {
  397. N = SubStatus;
  399. }
  400. }
  402. }
  404. return N;
  405. }
  407. VOID
  408. InitStringAndMoveOn( IN LPWSTR RealString,
  409. IN OUT LPWSTR *pCursor,
  410. IN OUT PUNICODE_STRING pString ) {
  412. ULONG Length;
  414. Length = lstrlenW( RealString ) +1;
  416. memcpy( *pCursor,
  417. RealString,
  418. Length * sizeof( WCHAR ) );
  420. RtlInitUnicodeString( pString,
  421. *pCursor );
  424. *pCursor += Length;
  426. // ASSERT( **pCursor == L'\0' );
  428. }
  433. NTSTATUS
  434. ChangeViaKpasswd( LPWSTR * Parameters ) {
  436. LPWSTR OldPassword = NULL, NewPassword = NULL;
  437. NTSTATUS ret = STATUS_UNSUCCESSFUL;
  438. PKERB_CHANGEPASSWORD_REQUEST pPasswd = NULL;
  439. LPWSTR Cursor;
  440. PVOID pvTrash;
  441. ULONG size, ulTrash;
  443. if ( !GlobalDomainSetting ) {
  445. printf( "Can't change password without /domain.\n" );
  446. ret = STATUS_INVALID_PARAMETER;
  448. } else if ( !( ReadOptionallyStarredPassword( Parameters[ 0 ],
  449. 0, // no flags
  450. L"your old",
  451. &OldPassword ) &&
  453. ReadOptionallyStarredPassword( Parameters[ 1 ],
  454. PROMPT_FOR_PASSWORD_TWICE,
  455. L"your new",
  456. &NewPassword ) ) ) {
  458. printf( "Failed to validate passwords for password change.\n" );
  459. ret = STATUS_INTERNAL_ERROR;
  461. } else {
  463. size = lstrlenW( GlobalDomainSetting ) + 1;
  464. size += lstrlenW( GlobalClientName ) + 1;
  465. size += lstrlenW( OldPassword ) + 1;
  466. size += lstrlenW( NewPassword ) + 1;
  468. // all strings above this line
  470. size *= sizeof( WCHAR );
  471. size += sizeof( *pPasswd ) ; // buffer
  473. pPasswd = (PKERB_CHANGEPASSWORD_REQUEST) malloc( size );
  475. if ( pPasswd ) {
  477. // start at the end of the password-request buffer
  479. Cursor = (LPWSTR) &( pPasswd[1] );
  481. pPasswd->MessageType = KerbChangePasswordMessage;
  483. InitStringAndMoveOn( GlobalDomainSetting,
  484. &Cursor,
  485. &pPasswd->DomainName );
  487. InitStringAndMoveOn( GlobalClientName,
  488. &Cursor,
  489. &pPasswd->AccountName );
  491. InitStringAndMoveOn( OldPassword,
  492. &Cursor,
  493. &pPasswd->OldPassword );
  495. InitStringAndMoveOn( NewPassword,
  496. &Cursor,
  497. &pPasswd->NewPassword );
  499. pPasswd->Impersonating = FALSE; // TRUE; // FALSE;
  501. ret = CallAuthPackage( pPasswd,
  502. size,
  503. (PVOID *) &pvTrash,
  504. &ulTrash );
  506. if ( NT_SUCCESS( ret ) ) {
  508. printf( "Password changed.\n" );
  510. } else {
  512. printf( "Failed to change password: 0x%x\n",
  513. ret );
  515. }
  517. // zero the buffer to minimize exposure of the password.
  519. SecureZeroMemory(
  520. pPasswd,
  521. size );
  523. free( pPasswd );
  525. } else {
  527. printf( "Failed to allocate %ld-byte password change request.\n",
  528. size );
  530. ret = STATUS_NO_MEMORY;
  531. }
  532. }
  534. // zero the buffers to minimize exposure of the passwords
  536. if ( NewPassword )
  537. {
  538. SecureZeroMemory( NewPassword, lstrlenW( NewPassword ));
  539. free( NewPassword );
  540. }
  542. if ( OldPassword )
  543. {
  544. SecureZeroMemory( OldPassword, lstrlenW( OldPassword ));
  545. free( OldPassword );
  546. }
  548. return ret;
  549. }
  552. DWORD
  553. OpenKerberosKey(
  554. OUT PHKEY KerbHandle
  555. )
  556. {
  557. DWORD RegErr;
  558. HKEY ServerHandle = NULL;
  559. DWORD Disposition;
  561. RegErr = RegConnectRegistry(
  562. ServerName,
  563. HKEY_LOCAL_MACHINE,
  564. &ServerHandle
  565. );
  566. if (RegErr)
  567. {
  568. printf("Failed to connect to registry: %d (0x%x) \n",RegErr, RegErr);
  569. goto Cleanup;
  570. }
  572. RegErr = RegCreateKeyEx(
  573. ServerHandle,
  574. KERB_KERBEROS_KEY,
  575. 0,
  576. NULL,
  577. 0, // no options
  578. KEY_CREATE_SUB_KEY,
  579. NULL,
  580. KerbHandle,
  581. &Disposition
  582. );
  583. if (RegErr)
  584. {
  585. printf("Failed to create Kerberos key: %d (0x%x)\n",RegErr, RegErr);
  586. goto Cleanup;
  587. }
  588. Cleanup:
  589. if (ServerHandle)
  590. {
  591. RegCloseKey(ServerHandle);
  592. }
  593. return(RegErr);
  594. }
  597. DWORD
  598. OpenSubKey( IN LPWSTR * Parameters,
  599. OUT PHKEY phKey ) {
  601. DWORD RegErr;
  602. HKEY KerbHandle = NULL;
  603. HKEY DomainHandle = NULL;
  604. HKEY DomainRoot = NULL;
  605. DWORD Disposition;
  606. LPWSTR OldServerNames = NULL;
  607. LPWSTR NewServerNames = NULL;
  608. ULONG OldKdcLength = 0;
  609. ULONG NewKdcLength = 0;
  610. ULONG Type;
  612. RegErr = OpenKerberosKey(&KerbHandle);
  614. if ( RegErr == ERROR_SUCCESS )
  615. {
  616. RegErr = RegCreateKeyEx( KerbHandle,
  617. KERB_DOMAINS_SUBKEY,
  618. 0,
  619. NULL,
  620. 0, // no options
  621. KEY_CREATE_SUB_KEY,
  622. NULL,
  623. &DomainRoot,
  624. &Disposition );
  626. if ( RegErr == ERROR_SUCCESS )
  627. {
  628. if ( Parameters && Parameters[ 0 ] )
  629. {
  630. RegErr = RegCreateKeyEx( DomainRoot,
  631. Parameters[0],
  632. 0,
  633. NULL,
  634. 0, // no options
  635. KEY_CREATE_SUB_KEY | KEY_SET_VALUE | KEY_QUERY_VALUE,
  636. NULL,
  637. &DomainHandle,
  638. &Disposition );
  640. if ( RegErr == ERROR_SUCCESS )
  641. {
  642. *phKey = DomainHandle;
  643. }
  644. else
  645. {
  646. printf("Failed to create %ws key: 0x%x\n", Parameters[ 0 ], RegErr);
  647. }
  649. RegCloseKey( DomainRoot );
  651. }
  652. else /* return the domain root if no domain is requested. */
  653. {
  654. *phKey = DomainRoot;
  655. }
  656. }
  657. else
  658. {
  659. printf( "Failed to create key %ws: 0x%x\n", Parameters[ 0 ], RegErr );
  660. }
  662. RegCloseKey( KerbHandle );
  664. }
  665. else
  666. {
  667. printf( "Failed to open Kerberos Key: 0x%x\n", RegErr );
  668. }
  670. return RegErr;
  671. }