archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
3 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 827363a95b
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '827363a95b'
${ noResults }
windows-server-2003/net/ias/providers/ntuser/auth/ntsamauth.cpp

797 lines
22 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) Microsoft Corporation
  4. //
  5. // SYNOPSIS
  6. //
  7. // Defines the class NTSamAuthentication.
  8. //
  9. ///////////////////////////////////////////////////////////////////////////////
  10. #include <ias.h>
  11. #include <ntsamauth.h>
  12. #include <autohdl.h>
  13. #include <blob.h>
  14. #include <iaslsa.h>
  15. #include <iastlutl.h>
  16. #include <lockout.h>
  17. #include <mbstring.h>
  18. #include <samutil.h>
  19. #include <sdoias.h>
  21. bool NTSamAuthentication::allowLM;
  23. STDMETHODIMP NTSamAuthentication::Initialize()
  24. {
  25. DWORD error = IASLsaInitialize();
  26. if (error == NO_ERROR)
  27. {
  28. AccountLockoutInitialize();
  29. }
  31. return HRESULT_FROM_WIN32(error);
  32. }
  35. STDMETHODIMP NTSamAuthentication::Shutdown()
  36. {
  37. AccountLockoutShutdown();
  38. IASLsaUninitialize();
  39. return S_OK;
  40. }
  43. STDMETHODIMP NTSamAuthentication::PutProperty(LONG Id, VARIANT *pValue)
  44. {
  45. if (Id == PROPERTY_NTSAM_ALLOW_LM_AUTHENTICATION &&
  46. pValue != NULL &&
  47. V_VT(pValue) == VT_BOOL)
  48. {
  49. allowLM = V_BOOL(pValue) ? true : false;
  50. IASTracePrintf(
  51. "Setting LM Authentication allowed to %s.",
  52. (allowLM ? "TRUE" : "FALSE")
  53. );
  54. }
  56. return S_OK;
  57. }
  60. bool NTSamAuthentication::enforceLmRestriction(
  61. IASTL::IASRequest& request
  62. )
  63. {
  64. if (!allowLM)
  65. {
  66. IASTraceString("LanManager authentication is not enabled.");
  67. IASProcessFailure(request, IAS_LM_NOT_ALLOWED);
  68. }
  70. return allowLM;
  71. }
  74. void NTSamAuthentication::doMsChapAuthentication(
  75. IASTL::IASRequest& request,
  76. PCWSTR domainName,
  77. PCWSTR username,
  78. BYTE identity,
  79. PBYTE challenge,
  80. PBYTE ntResponse,
  81. PBYTE lmResponse
  82. )
  83. {
  84. DWORD status;
  85. auto_handle<> token;
  86. IAS_MSCHAP_PROFILE profile;
  87. status = IASLogonMSCHAP(
  88. username,
  89. domainName,
  90. challenge,
  91. ntResponse,
  92. lmResponse,
  93. &profile,
  94. &token
  95. );
  97. if (status == NO_ERROR)
  98. {
  99. MSChapMPPEKeys::insert(
  100. request,
  101. profile.LanmanSessionKey,
  102. profile.UserSessionKey,
  103. challenge
  104. );
  105. MSChapDomain::insert(
  106. request,
  107. identity,
  108. profile.LogonDomainName
  109. );
  110. }
  112. storeLogonResult(request, status, token, profile.KickOffTime);
  113. }
  116. void NTSamAuthentication::doMsChap2Authentication(
  117. IASTL::IASRequest& request,
  118. PCWSTR domainName,
  119. PCWSTR username,
  120. BYTE identity,
  121. IAS_OCTET_STRING& challenge,
  122. PBYTE response,
  123. PBYTE peerChallenge
  124. )
  125. {
  126. //////////
  127. // Get the hash username.
  128. //////////
  130. PIASATTRIBUTE attr = IASPeekAttribute(
  131. request,
  132. IAS_ATTRIBUTE_ORIGINAL_USER_NAME,
  133. IASTYPE_OCTET_STRING
  134. );
  135. if (!attr)
  136. {
  137. attr = IASPeekAttribute(
  138. request,
  139. RADIUS_ATTRIBUTE_USER_NAME,
  140. IASTYPE_OCTET_STRING
  141. );
  142. if (!attr)
  143. {
  144. _com_issue_error(IAS_MALFORMED_REQUEST);
  145. }
  146. }
  148. PCSTR rawUserName = IAS_OCT2ANSI(attr->Value.OctetString);
  149. PCSTR hashUserName = (PCSTR)_mbschr((const BYTE*)rawUserName, '\\');
  150. hashUserName = hashUserName ? (hashUserName + 1) : rawUserName;
  152. //////////
  153. // Authenticate the user.
  154. //////////
  156. DWORD status;
  157. auto_handle<> token;
  158. IAS_MSCHAP_V2_PROFILE profile;
  159. status = IASLogonMSCHAPv2(
  160. username,
  161. domainName,
  162. hashUserName,
  163. challenge.lpValue,
  164. challenge.dwLength,
  165. response,
  166. peerChallenge,
  167. &profile,
  168. &token
  169. );
  171. //////////
  172. // Process the result.
  173. //////////
  175. if (status == NO_ERROR)
  176. {
  177. MSMPPEKey::insert(
  178. request,
  179. sizeof(profile.RecvSessionKey),
  180. profile.RecvSessionKey,
  181. FALSE
  182. );
  184. MSMPPEKey::insert(
  185. request,
  186. sizeof(profile.SendSessionKey),
  187. profile.SendSessionKey,
  188. TRUE
  189. );
  191. MSChap2Success::insert(
  192. request,
  193. identity,
  194. profile.AuthResponse
  195. );
  197. MSChapDomain::insert(
  198. request,
  199. identity,
  200. profile.LogonDomainName
  201. );
  202. }
  204. storeLogonResult(request, status, token, profile.KickOffTime);
  205. }
  208. IASREQUESTSTATUS NTSamAuthentication::onSyncRequest(IRequest* pRequest) throw ()
  209. {
  210. HANDLE hAccount = 0;
  212. try
  213. {
  214. IASTL::IASRequest request(pRequest);
  216. //////////
  217. // Extract the NT4-Account-Name attribute.
  218. //////////
  220. IASTL::IASAttribute identity;
  221. if (!identity.load(
  222. request,
  223. IAS_ATTRIBUTE_NT4_ACCOUNT_NAME,
  224. IASTYPE_STRING
  225. ))
  226. {
  227. return IAS_REQUEST_STATUS_CONTINUE;
  228. }
  230. //////////
  231. // Convert the User-Name to SAM format.
  232. //////////
  234. SamExtractor extractor(*identity);
  235. PCWSTR domain = extractor.getDomain();
  236. PCWSTR username = extractor.getUsername();
  238. IASTracePrintf(
  239. "NT-SAM Authentication handler received request for %S\\%S.",
  240. domain,
  241. username
  242. );
  244. //////////
  245. // Check if the account has been locked out.
  246. //////////
  248. if (AccountLockoutOpenAndQuery(
  249. username,
  250. domain,
  251. &hAccount
  252. ))
  253. {
  254. IASTraceString("Account has been locked out locally -- rejecting.");
  255. AccountLockoutClose(hAccount);
  256. request.SetResponse(IAS_RESPONSE_ACCESS_REJECT, IAS_DIALIN_LOCKED_OUT);
  257. return IAS_REQUEST_STATUS_CONTINUE;
  258. }
  260. // Try each authentication type.
  261. if (!tryMsChap2All(request, domain, username) &&
  262. !tryMsChapAll(request, domain, username) &&
  263. !tryMd5Chap(request, domain, username) &&
  264. !tryPap(request, domain, username))
  265. {
  266. // Since the EAP request handler is invoked after policy
  267. // evaluation, we have to set the auth type here.
  268. if (IASPeekAttribute(
  269. request,
  270. RADIUS_ATTRIBUTE_EAP_MESSAGE,
  271. IASTYPE_OCTET_STRING
  272. ))
  273. {
  274. storeAuthenticationType(request, IAS_AUTH_EAP);
  275. }
  276. else
  277. {
  278. // Otherwise, the auth type is "Unauthenticated".
  279. storeAuthenticationType(request, IAS_AUTH_NONE);
  280. }
  281. }
  283. //////////
  284. // Update the lockout database based on the results.
  285. //////////
  287. if (request.get_Response() == IAS_RESPONSE_ACCESS_ACCEPT)
  288. {
  289. AccountLockoutUpdatePass(hAccount);
  290. }
  291. else if (request.get_Reason() == IAS_AUTH_FAILURE)
  292. {
  293. AccountLockoutUpdateFail(hAccount);
  294. }
  295. }
  296. catch (const _com_error& ce)
  297. {
  298. IASTraceExcept();
  299. IASProcessFailure(pRequest, ce.Error());
  300. }
  302. AccountLockoutClose(hAccount);
  304. return IAS_REQUEST_STATUS_CONTINUE;
  305. }
  308. void NTSamAuthentication::storeAuthenticationType(
  309. IASTL::IASRequest& request,
  310. DWORD authType
  311. )
  312. {
  313. IASTL::IASAttribute attr(true);
  314. attr->dwId = IAS_ATTRIBUTE_AUTHENTICATION_TYPE;
  315. attr->Value.itType = IASTYPE_ENUM;
  316. attr->Value.Enumerator = authType;
  317. attr.store(request);
  318. }
  321. void NTSamAuthentication::storeLogonResult(
  322. IASTL::IASRequest& request,
  323. DWORD status,
  324. HANDLE token,
  325. const LARGE_INTEGER& kickOffTime
  326. )
  327. {
  328. if (status == ERROR_SUCCESS)
  329. {
  330. IASTraceString("LogonUser succeeded.");
  331. storeTokenGroups(request, token);
  332. request.SetResponse(IAS_RESPONSE_ACCESS_ACCEPT, S_OK);
  334. // Add the Session-Timeout attribute to the request if it is not infinite
  335. // it'll be carried over to the response later on.
  336. InsertInternalTimeout(request, kickOffTime);
  337. }
  338. else
  339. {
  340. IASTraceFailure("LogonUser", status);
  341. IASProcessFailure(request, IASMapWin32Error(status, IAS_AUTH_FAILURE));
  342. }
  343. }
  346. void NTSamAuthentication::storeTokenGroups(
  347. IASTL::IASRequest& request,
  348. HANDLE token
  349. )
  350. {
  351. DWORD returnLength;
  353. //////////
  354. // Determine the needed buffer size.
  355. //////////
  357. BOOL success = GetTokenInformation(
  358. token,
  359. TokenGroups,
  360. NULL,
  361. 0,
  362. &returnLength
  363. );
  365. DWORD status = GetLastError();
  367. // Should have failed with ERROR_INSUFFICIENT_BUFFER.
  368. if (success || status != ERROR_INSUFFICIENT_BUFFER)
  369. {
  370. IASTraceFailure("GetTokenInformation", status);
  371. _com_issue_error(HRESULT_FROM_WIN32(status));
  372. }
  374. //////////
  375. // Allocate an attribute.
  376. //////////
  378. IASTL::IASAttribute groups(true);
  380. //////////
  381. // Allocate a buffer to hold the TOKEN_GROUPS array.
  382. //////////
  384. groups->Value.OctetString.lpValue = (PBYTE)CoTaskMemAlloc(returnLength);
  385. if (!groups->Value.OctetString.lpValue)
  386. {
  387. _com_issue_error(E_OUTOFMEMORY);
  388. }
  390. //////////
  391. // Get the Token Groups info.
  392. //////////
  394. GetTokenInformation(
  395. token,
  396. TokenGroups,
  397. groups->Value.OctetString.lpValue,
  398. returnLength,
  399. &groups->Value.OctetString.dwLength
  400. );
  402. //////////
  403. // Set the id and type of the initialized attribute.
  404. //////////
  406. groups->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
  407. groups->Value.itType = IASTYPE_OCTET_STRING;
  409. //////////
  410. // Inject the Token-Groups into the request.
  411. //////////
  413. groups.store(request);
  414. }
  417. bool NTSamAuthentication::tryMsChap(
  418. IASTL::IASRequest& request,
  419. PCWSTR domainName,
  420. PCWSTR username,
  421. PBYTE challenge
  422. )
  423. {
  424. // Is the necessary attribute present?
  425. IASAttribute attr;
  426. if (!attr.load(
  427. request,
  428. MS_ATTRIBUTE_CHAP_RESPONSE,
  429. IASTYPE_OCTET_STRING
  430. ))
  431. {
  432. return false;
  433. }
  434. MSChapResponse& response = blob_cast<MSChapResponse>(attr);
  436. IASTraceString("Processing MS-CHAP v1 authentication.");
  437. storeAuthenticationType(request, IAS_AUTH_MSCHAP);
  439. if (!response.isLmPresent() || enforceLmRestriction(request))
  440. {
  441. doMsChapAuthentication(
  442. request,
  443. domainName,
  444. username,
  445. response.get().ident,
  446. challenge,
  447. (response.isNtPresent() ? response.get().ntResponse : NULL),
  448. (response.isLmPresent() ? response.get().lmResponse : NULL)
  449. );
  450. }
  452. return true;
  453. }
  456. bool NTSamAuthentication::tryMsChapCpw1(
  457. IASTL::IASRequest& request,
  458. PCWSTR domainName,
  459. PCWSTR username,
  460. PBYTE challenge
  461. )
  462. {
  463. // Is the necessary attribute present ?
  464. IASAttribute attr;
  465. bool present = attr.load(
  466. request,
  467. MS_ATTRIBUTE_CHAP_CPW1,
  468. IASTYPE_OCTET_STRING
  469. );
  470. if (present)
  471. {
  472. IASTraceString("Deferring MS-CHAP-CPW-1.");
  473. storeAuthenticationType(request, IAS_AUTH_MSCHAP_CPW);
  474. }
  476. return present;
  477. }
  480. bool NTSamAuthentication::tryMsChapCpw2(
  481. IASTL::IASRequest& request,
  482. PCWSTR domainName,
  483. PCWSTR username,
  484. PBYTE challenge
  485. )
  486. {
  487. // Is the necessary attribute present ?
  488. IASAttribute attr;
  489. bool present = attr.load(
  490. request,
  491. MS_ATTRIBUTE_CHAP_CPW2,
  492. IASTYPE_OCTET_STRING
  493. );
  494. if (present)
  495. {
  496. IASTraceString("Deferring MS-CHAP-CPW-2.");
  497. storeAuthenticationType(request, IAS_AUTH_MSCHAP_CPW);
  498. }
  500. return present;
  501. }
  504. bool NTSamAuthentication::tryMsChap2(
  505. IASTL::IASRequest& request,
  506. PCWSTR domainName,
  507. PCWSTR username,
  508. IAS_OCTET_STRING& challenge
  509. )
  510. {
  511. // Is the necessary attribute present?
  512. IASAttribute attr;
  513. if (!attr.load(
  514. request,
  515. MS_ATTRIBUTE_CHAP2_RESPONSE,
  516. IASTYPE_OCTET_STRING
  517. ))
  518. {
  519. return false;
  520. }
  521. MSChap2Response& response = blob_cast<MSChap2Response>(attr);
  523. IASTraceString("Processing MS-CHAP v2 authentication.");
  524. storeAuthenticationType(request, IAS_AUTH_MSCHAP2);
  526. //////////
  527. // Authenticate the user.
  528. //////////
  530. doMsChap2Authentication(
  531. request,
  532. domainName,
  533. username,
  534. response.get().ident,
  535. challenge,
  536. response.get().response,
  537. response.get().peerChallenge
  538. );
  540. return true;
  541. }
  544. bool NTSamAuthentication::tryMsChap2Cpw(
  545. IASTL::IASRequest& request,
  546. PCWSTR domainName,
  547. PCWSTR username,
  548. IAS_OCTET_STRING& challenge
  549. )
  550. {
  551. // Is the necessary attribute present ?
  552. IASAttribute attr;
  553. bool present = attr.load(
  554. request,
  555. MS_ATTRIBUTE_CHAP2_CPW,
  556. IASTYPE_OCTET_STRING
  557. );
  558. if (present)
  559. {
  560. IASTraceString("Deferring MS-CHAP v2 change password.");
  561. storeAuthenticationType(request, IAS_AUTH_MSCHAP2_CPW);
  562. }
  564. return present;
  565. }
  568. bool NTSamAuthentication::tryMd5Chap(
  569. IASTL::IASRequest& request,
  570. PCWSTR domainName,
  571. PCWSTR username
  572. )
  573. {
  574. // Is the necessary attribute present?
  575. IASTL::IASAttribute chapPassword;
  576. if (!chapPassword.load(
  577. request,
  578. RADIUS_ATTRIBUTE_CHAP_PASSWORD,
  579. IASTYPE_OCTET_STRING
  580. ))
  581. {
  582. return false;
  583. }
  585. IASTraceString("Processing MD5-CHAP authentication.");
  586. storeAuthenticationType(request, IAS_AUTH_MD5CHAP);
  588. // validate length of the octetstring is 17
  589. DWORD chapPasswordLength = chapPassword->Value.OctetString.dwLength;
  591. if (chapPasswordLength != (_CHAP_RESPONSE_SIZE + 1))
  592. {
  593. IASTracePrintf("Malformed request: Length of CHAP_PASSWORD is %ld",
  594. chapPasswordLength);
  595. _com_issue_error(IAS_MALFORMED_REQUEST);
  596. }
  598. //////////
  599. // Split up the CHAP-Password attribute.
  600. //////////
  602. // The ID is the first byte of the value ...
  603. BYTE challengeID = *(chapPassword->Value.OctetString.lpValue);
  605. // ... and the password is the rest.
  606. PBYTE password = chapPassword->Value.OctetString.lpValue + 1;
  608. //////////
  609. // Use the CHAP-Challenge if available, request authenticator otherwise.
  610. //////////
  612. IASTL::IASAttribute chapChallenge, radiusHeader;
  613. if (!chapChallenge.load(
  614. request,
  615. RADIUS_ATTRIBUTE_CHAP_CHALLENGE,
  616. IASTYPE_OCTET_STRING
  617. ) &&
  618. !radiusHeader.load(
  619. request,
  620. IAS_ATTRIBUTE_CLIENT_PACKET_HEADER,
  621. IASTYPE_OCTET_STRING
  622. ))
  623. {
  624. _com_issue_error(IAS_MALFORMED_REQUEST);
  625. }
  627. PBYTE challenge;
  628. DWORD challengeLength;
  630. if (chapChallenge)
  631. {
  632. challenge = chapChallenge->Value.OctetString.lpValue;
  633. challengeLength = chapChallenge->Value.OctetString.dwLength;
  634. }
  635. else
  636. {
  637. challenge = radiusHeader->Value.OctetString.lpValue + 4;
  638. challengeLength = 16;
  639. }
  642. //////////
  643. // Try to logon the user.
  644. //////////
  646. IAS_CHAP_PROFILE profile;
  647. auto_handle<> token;
  648. DWORD status = IASLogonCHAP(
  649. username,
  650. domainName,
  651. challengeID,
  652. challenge,
  653. challengeLength,
  654. password,
  655. &token,
  656. &profile
  657. );
  659. //////////
  660. // Store the results.
  661. //////////
  662. storeLogonResult(request, status, token, profile.KickOffTime);
  664. return true;
  665. }
  668. bool NTSamAuthentication::tryMsChapAll(
  669. IASTL::IASRequest& request,
  670. PCWSTR domainName,
  671. PCWSTR username
  672. )
  673. {
  674. // Do we have the necessary attribute?
  675. IASTL::IASAttribute msChapChallenge;
  676. if (!msChapChallenge.load(
  677. request,
  678. MS_ATTRIBUTE_CHAP_CHALLENGE,
  679. IASTYPE_OCTET_STRING
  680. ))
  681. {
  682. return false;
  683. }
  685. if (msChapChallenge->Value.OctetString.dwLength != _MSV1_0_CHALLENGE_LENGTH)
  686. {
  687. _com_issue_error(IAS_MALFORMED_REQUEST);
  688. }
  690. PBYTE challenge = msChapChallenge->Value.OctetString.lpValue;
  692. return tryMsChap(request, domainName, username, challenge) ||
  693. tryMsChapCpw2(request, domainName, username, challenge) ||
  694. tryMsChapCpw1(request, domainName, username, challenge);
  695. }
  698. bool NTSamAuthentication::tryMsChap2All(
  699. IASTL::IASRequest& request,
  700. PCWSTR domainName,
  701. PCWSTR username
  702. )
  703. {
  704. // Do we have the necessary attribute?
  705. IASTL::IASAttribute msChapChallenge;
  706. if (!msChapChallenge.load(
  707. request,
  708. MS_ATTRIBUTE_CHAP_CHALLENGE,
  709. IASTYPE_OCTET_STRING
  710. ))
  711. {
  712. return false;
  713. }
  715. IAS_OCTET_STRING& challenge = msChapChallenge->Value.OctetString;
  717. return tryMsChap2(request, domainName, username, challenge) ||
  718. tryMsChap2Cpw(request, domainName, username, challenge);
  719. }
  722. bool NTSamAuthentication::tryPap(
  723. IASTL::IASRequest& request,
  724. PCWSTR domainName,
  725. PCWSTR username
  726. )
  727. {
  728. // Do we have the necessary attribute?
  729. IASTL::IASAttribute password;
  730. if (!password.load(
  731. request,
  732. RADIUS_ATTRIBUTE_USER_PASSWORD,
  733. IASTYPE_OCTET_STRING
  734. ))
  735. {
  736. return false;
  737. }
  739. IASTraceString("Processing PAP authentication.");
  740. storeAuthenticationType(request, IAS_AUTH_PAP);
  742. //////////
  743. // Convert the password to a string.
  744. //////////
  746. PSTR userPwd = IAS_OCT2ANSI(password->Value.OctetString);
  748. //////////
  749. // Try to logon the user.
  750. //////////
  752. IAS_PAP_PROFILE profile;
  753. auto_handle<> token;
  754. DWORD status = IASLogonPAP(
  755. username,
  756. domainName,
  757. userPwd,
  758. &token,
  759. &profile
  760. );
  762. //////////
  763. // Store the results.
  764. //////////
  765. storeLogonResult(request, status, token, profile.KickOffTime);
  767. return true;
  768. }
  770. void InsertInternalTimeout(
  771. IASTL::IASRequest& request,
  772. const LARGE_INTEGER& kickOffTime
  773. )
  775. {
  776. if ((kickOffTime.QuadPart < MAXLONGLONG) && (kickOffTime.QuadPart >= 0))
  777. {
  778. LONGLONG now;
  779. GetSystemTimeAsFileTime(reinterpret_cast<FILETIME*>(&now));
  781. // Compute the interval in seconds.
  782. LONGLONG interval = (kickOffTime.QuadPart - now) / 10000000i64;
  783. if (interval <= 0)
  784. {
  785. interval = 1;
  786. }
  788. if (interval < 0xFFFFFFFF)
  789. {
  790. IASAttribute sessionTimeout(true);
  791. sessionTimeout->dwId = MS_ATTRIBUTE_SESSION_TIMEOUT;
  792. sessionTimeout->Value.itType = IASTYPE_INTEGER;
  793. sessionTimeout->Value.Integer = static_cast<DWORD>(interval);
  794. sessionTimeout.store(request);
  795. }
  796. }
  797. }