You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1106 lines
32 KiB
1106 lines
32 KiB
//+---------------------------------------------------------------------------
|
|
//
|
|
// Microsoft Windows
|
|
// Copyright (C) Microsoft Corporation, 1992 - 1993.
|
|
//
|
|
// File: kpasswd.cxx
|
|
//
|
|
// Contents: Functions for the kpasswd protocol
|
|
//
|
|
// History: 30-Sep-97 MikeSw Created
|
|
//
|
|
//----------------------------------------------------------------------------
|
|
|
|
|
|
#include "kdcsvr.hxx"
|
|
#include "kpasswd.h"
|
|
#include "kdctrace.h"
|
|
extern "C"
|
|
{
|
|
#include <nlrepl.h>
|
|
}
|
|
|
|
#define FILENO FILENO_KPASSWD
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KdcbMarshallApReply
|
|
//
|
|
// Synopsis: Takes a reply and reply body and encrypts and marshalls them
|
|
// into a return message
|
|
//
|
|
// Effects: Allocates output buffer
|
|
//
|
|
// Arguments: Reply - The outer reply to marshall
|
|
// ReplyBody - The reply body to marshall
|
|
// SessionKey - Session key to encrypt reply
|
|
// PackedReply - Recives marshalled reply buffer
|
|
// PackedReplySize - Receives size in bytes of marshalled reply
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns: STATUS_SUCCESS or STATUS_INSUFFICIENT_RESOURCES
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
KERBERR
|
|
KdcMarshallApReply(
|
|
IN PKERB_AP_REPLY Reply,
|
|
IN PKERB_ENCRYPTED_AP_REPLY ReplyBody,
|
|
IN PKERB_ENCRYPTION_KEY SessionKey,
|
|
OUT PUCHAR * PackedReply,
|
|
OUT PULONG PackedReplySize
|
|
)
|
|
{
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
ULONG PackedApReplySize;
|
|
PUCHAR PackedApReply = NULL;
|
|
|
|
KerbErr = KerbPackApReplyBody(
|
|
ReplyBody,
|
|
&PackedApReplySize,
|
|
&PackedApReply
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now encrypt the response
|
|
//
|
|
|
|
KerbErr = KerbAllocateEncryptionBufferWrapper(
|
|
SessionKey->keytype,
|
|
PackedApReplySize,
|
|
&Reply->encrypted_part.cipher_text.length,
|
|
&Reply->encrypted_part.cipher_text.value
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbErr = KerbEncryptDataEx(
|
|
&Reply->encrypted_part,
|
|
PackedApReplySize,
|
|
PackedApReply,
|
|
KERB_NO_KEY_VERSION,
|
|
KERB_AP_REP_SALT,
|
|
SessionKey
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to encrypt AP Reply.%d\n", KerbErr));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now pack the reply into the output buffer
|
|
//
|
|
|
|
KerbErr = KerbPackApReply(
|
|
Reply,
|
|
PackedReplySize,
|
|
PackedReply
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
Cleanup:
|
|
if (Reply->encrypted_part.cipher_text.value != NULL)
|
|
{
|
|
MIDL_user_free(Reply->encrypted_part.cipher_text.value);
|
|
Reply->encrypted_part.cipher_text.value = NULL;
|
|
}
|
|
if (PackedApReply != NULL)
|
|
{
|
|
MIDL_user_free(PackedApReply);
|
|
}
|
|
|
|
return (KerbErr);
|
|
|
|
}
|
|
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KdcBuildKpasswdResponse
|
|
//
|
|
// Synopsis: builds the response to a kpasswd request
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments:
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
KERBERR
|
|
KdcBuildKpasswdResponse(
|
|
IN OPTIONAL PKERB_ENCRYPTED_TICKET EncryptedTicket,
|
|
IN OPTIONAL PKERB_AUTHENTICATOR Authenticator,
|
|
IN OPTIONAL PKERB_ENCRYPTION_KEY SessionKey,
|
|
IN OPTIONAL PSOCKADDR ServerAddress,
|
|
IN NTSTATUS ChangeResult,
|
|
IN KERBERR ProtocolResult,
|
|
IN PKERB_EXT_ERROR pExtendedError,
|
|
OUT PKERB_MESSAGE_BUFFER Response
|
|
)
|
|
{
|
|
KERB_PRIV_MESSAGE PrivMessage = {0};
|
|
KERB_ENCRYPTED_PRIV PrivBody = {0};
|
|
USHORT ReplySize = 0;
|
|
PBYTE PackedApReply = NULL;
|
|
ULONG PackedApReplySize = 0;
|
|
BYTE ResultData[2] = {0};
|
|
PBYTE PackedPrivBody = NULL;
|
|
ULONG PackedPrivBodySize = 0;
|
|
KERBERR KerbErr = KRB_ERR_GENERIC;
|
|
PBYTE ReplyData = NULL;
|
|
ULONG ReplyDataSize = 0;
|
|
PSOCKET_ADDRESS IpAddresses = NULL;
|
|
BOOLEAN ReturningError = TRUE;
|
|
|
|
if (!NT_SUCCESS(ChangeResult))
|
|
{
|
|
switch(ChangeResult)
|
|
{
|
|
case STATUS_PASSWORD_RESTRICTION:
|
|
SET_SHORT(ResultData,KERB_KPASSWD_POLICY);
|
|
ProtocolResult = KDC_ERR_POLICY;
|
|
break;
|
|
case STATUS_ACCOUNT_RESTRICTION:
|
|
SET_SHORT(ResultData, KERB_KPASSWD_AUTHENTICATION);
|
|
ProtocolResult = KDC_ERR_CLIENT_REVOKED;
|
|
break;
|
|
case STATUS_INVALID_PARAMETER:
|
|
SET_SHORT(ResultData, KERB_KPASSWD_MALFORMED);
|
|
ProtocolResult = KRB_ERR_GENERIC;
|
|
break;
|
|
case STATUS_ACCESS_DENIED:
|
|
SET_SHORT(ResultData, KERB_KPASSWD_AUTHORIZATION);
|
|
ProtocolResult = KRB_ERR_GENERIC;
|
|
break;
|
|
default:
|
|
SET_SHORT(ResultData, KERB_KPASSWD_ERROR);
|
|
ProtocolResult = KRB_ERR_GENERIC;
|
|
break;
|
|
}
|
|
}
|
|
else if (!KERB_SUCCESS(ProtocolResult))
|
|
{
|
|
switch(ProtocolResult)
|
|
{
|
|
case KRB_ERR_GENERIC:
|
|
//
|
|
// BUG 453652: how does this distinguish between random hard errors
|
|
// and malformed data?
|
|
//
|
|
SET_SHORT(ResultData, KERB_KPASSWD_MALFORMED);
|
|
break;
|
|
default:
|
|
//
|
|
// The other errors come from the call to verify the
|
|
// AP request
|
|
//
|
|
|
|
SET_SHORT(ResultData, KERB_KPASSWD_AUTHENTICATION);
|
|
break;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Now build the AP reply, if possible.
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT(EncryptedTicket))
|
|
{
|
|
KERB_AP_REPLY Reply = {0};
|
|
KERB_ENCRYPTED_AP_REPLY ReplyBody = {0};
|
|
|
|
|
|
Reply.version = KERBEROS_VERSION;
|
|
Reply.message_type = KRB_AP_REP;
|
|
|
|
|
|
|
|
ReplyBody.client_time = Authenticator->client_time;
|
|
ReplyBody.client_usec = Authenticator->client_usec;
|
|
|
|
|
|
KerbErr = KdcMarshallApReply(
|
|
&Reply,
|
|
&ReplyBody,
|
|
&EncryptedTicket->key,
|
|
&PackedApReply,
|
|
&PackedApReplySize
|
|
);
|
|
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto BuildError;
|
|
}
|
|
|
|
PrivBody.sender_address.addr_type = KERB_ADDRTYPE_INET;
|
|
|
|
if (ARGUMENT_PRESENT(ServerAddress))
|
|
{
|
|
PrivBody.sender_address.address.length = 4;
|
|
PrivBody.sender_address.address.value =
|
|
(PUCHAR) &((PSOCKADDR_IN)ServerAddress)->sin_addr.S_un.S_addr;
|
|
|
|
}
|
|
else
|
|
{
|
|
PrivBody.sender_address.address.length = 0;
|
|
PrivBody.sender_address.address.value = NULL;
|
|
}
|
|
|
|
PrivBody.user_data.length = sizeof(ResultData);
|
|
PrivBody.user_data.value = ResultData;
|
|
|
|
KerbErr = KerbPackData(
|
|
&PrivBody,
|
|
KERB_ENCRYPTED_PRIV_PDU,
|
|
&PackedPrivBodySize,
|
|
&PackedPrivBody
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto BuildError;
|
|
}
|
|
|
|
//
|
|
// Now encrypt it with the session key
|
|
//
|
|
|
|
|
|
KerbErr = KerbAllocateEncryptionBufferWrapper(
|
|
SessionKey->keytype,
|
|
PackedPrivBodySize,
|
|
&PrivMessage.encrypted_part.cipher_text.length,
|
|
&PrivMessage.encrypted_part.cipher_text.value
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto BuildError;
|
|
}
|
|
|
|
KerbErr = KerbEncryptDataEx(
|
|
&PrivMessage.encrypted_part,
|
|
PackedPrivBodySize,
|
|
PackedPrivBody,
|
|
KERB_NO_KEY_VERSION,
|
|
KERB_PRIV_SALT,
|
|
SessionKey
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto BuildError;
|
|
}
|
|
|
|
PrivMessage.version = KERBEROS_VERSION;
|
|
PrivMessage.message_type = KRB_PRIV;
|
|
|
|
//
|
|
// Now pack the KERB_PRIV
|
|
//
|
|
|
|
KerbErr = KerbPackData(
|
|
&PrivMessage,
|
|
KERB_PRIV_MESSAGE_PDU,
|
|
&ReplyDataSize,
|
|
&ReplyData
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto BuildError;
|
|
}
|
|
ReturningError = FALSE;
|
|
}
|
|
|
|
BuildError:
|
|
|
|
//
|
|
// If we have an error of one of the three error codes, build the
|
|
// appropriate result code & error code for the KERB_ERROR
|
|
//
|
|
|
|
if (!KERB_SUCCESS(KerbErr) || (ReplyData == NULL))
|
|
{
|
|
UNICODE_STRING TempString;
|
|
RtlInitUnicodeString(
|
|
&TempString,
|
|
KERB_KPASSWD_NAME
|
|
);
|
|
|
|
KerbErr = KerbBuildErrorMessageEx(
|
|
ProtocolResult,
|
|
pExtendedError, // note: probably won't get used
|
|
SecData.KdcDnsRealmName(),
|
|
SecData.KpasswdInternalName(),
|
|
NULL, // no client realm,
|
|
ResultData,
|
|
sizeof(ResultData),
|
|
&ReplyDataSize,
|
|
&ReplyData
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Now, if we have an AP reply, build a kpasswd response. Otherwise
|
|
// return the kerb_error message
|
|
//
|
|
|
|
if (ReturningError)
|
|
{
|
|
Response->Buffer = ReplyData;
|
|
ReplyData = NULL;
|
|
Response->BufferSize = ReplyDataSize;
|
|
goto Cleanup;
|
|
}
|
|
else
|
|
{
|
|
PKERB_KPASSWD_REP Reply = NULL;
|
|
if ((FIELD_OFFSET(KERB_KPASSWD_REP,Data) +
|
|
PackedApReplySize +
|
|
ReplyDataSize) > SHRT_MAX)
|
|
{
|
|
D_DebugLog((DEB_ERROR, "Kpasswd reply too long!\n"));
|
|
KerbErr = KRB_ERR_FIELD_TOOLONG;
|
|
goto Cleanup;
|
|
}
|
|
ReplySize = (USHORT) (FIELD_OFFSET(KERB_KPASSWD_REP,Data) +
|
|
PackedApReplySize +
|
|
ReplyDataSize);
|
|
|
|
Reply = (PKERB_KPASSWD_REP) MIDL_user_allocate(ReplySize);
|
|
|
|
if (Reply == NULL)
|
|
{
|
|
KerbErr = KRB_ERR_GENERIC;
|
|
goto Cleanup;
|
|
}
|
|
|
|
SET_SHORT(Reply->MessageLength,ReplySize);
|
|
SET_SHORT(Reply->Version, KERB_KPASSWD_VERSION);
|
|
SET_SHORT(Reply->ApRepLength, (USHORT) PackedApReplySize);
|
|
RtlCopyMemory(
|
|
Reply->Data,
|
|
PackedApReply,
|
|
PackedApReplySize
|
|
);
|
|
RtlCopyMemory(
|
|
Reply->Data + PackedApReplySize,
|
|
ReplyData,
|
|
ReplyDataSize
|
|
);
|
|
Response->Buffer = (PBYTE) Reply;
|
|
Response->BufferSize = ReplySize;
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
if (IpAddresses != NULL)
|
|
{
|
|
I_NetLogonFree(IpAddresses);
|
|
}
|
|
|
|
if (PackedApReply != NULL)
|
|
{
|
|
MIDL_user_free(PackedApReply);
|
|
}
|
|
if (PackedPrivBody !=NULL)
|
|
{
|
|
MIDL_user_free(PackedPrivBody);
|
|
}
|
|
if (ReplyData != NULL)
|
|
{
|
|
MIDL_user_free(ReplyData);
|
|
}
|
|
if (PrivMessage.encrypted_part.cipher_text.value != NULL)
|
|
{
|
|
MIDL_user_free(PrivMessage.encrypted_part.cipher_text.value);
|
|
}
|
|
|
|
return (KerbErr);
|
|
}
|
|
|
|
//+-------------------------------------------------------------------------
|
|
//
|
|
// Function: KdcChangePassword
|
|
//
|
|
// Synopsis: receives a kerb-change-password buffer and attempts the
|
|
// password change
|
|
//
|
|
// Effects:
|
|
//
|
|
// Arguments: Context - ATQ context, used for requesting more data if the
|
|
// buffer isn't complete
|
|
// ClientAddress - Address of client, from the socket
|
|
// ServerAddress - address client used to contact this server.
|
|
// InputMessage - Receives data sent by client
|
|
// OutputMessage - Contains data to be sent to client & freed
|
|
// using KdcFreeEncodedData
|
|
//
|
|
// Requires:
|
|
//
|
|
// Returns:
|
|
//
|
|
// Notes:
|
|
//
|
|
//
|
|
//--------------------------------------------------------------------------
|
|
|
|
extern "C"
|
|
KERBERR
|
|
KdcChangePassword(
|
|
IN OPTIONAL PVOID Context,
|
|
IN OPTIONAL PSOCKADDR ClientAddress,
|
|
IN OPTIONAL PSOCKADDR ServerAddress,
|
|
IN PKERB_MESSAGE_BUFFER InputMessage,
|
|
OUT PKERB_MESSAGE_BUFFER OutputMessage
|
|
)
|
|
{
|
|
PKERB_KPASSWD_REQ Request = NULL;
|
|
NTSTATUS Status = STATUS_SUCCESS;
|
|
KERBERR KerbErr = KDC_ERR_NONE;
|
|
KERB_EXT_ERROR ExtendedError = {0,0};
|
|
PKERB_EXT_ERROR pExtendedError = &ExtendedError;
|
|
USHORT ProtocolVersion;
|
|
USHORT MessageLength;
|
|
USHORT ApReqLength;
|
|
ULONG PrivLength;
|
|
PKERB_AUTHENTICATOR Authenticator = NULL;
|
|
PKERB_ENCRYPTED_TICKET EncryptedTicket = NULL;
|
|
KERB_ENCRYPTION_KEY SessionKey = {0};
|
|
KERB_ENCRYPTION_KEY ServerKey = {0};
|
|
KDC_TICKET_INFO ServerTicketInfo = {0};
|
|
KDC_TICKET_INFO ClientTicketInfo = {0};
|
|
UNICODE_STRING Password = {0};
|
|
ANSI_STRING AnsiPassword = {0};
|
|
PKERB_PRIV_MESSAGE PrivMessage = NULL;
|
|
PKERB_ENCRYPTED_PRIV PrivBody = NULL;
|
|
BOOLEAN UseSubKey = FALSE;
|
|
ULONG TicketFlags;
|
|
BOOLEAN DoPasswordSet = FALSE;
|
|
PKERB_CHANGE_PASSWORD_DATA ChangeData = NULL;
|
|
|
|
PKERB_INTERNAL_NAME ClientName = NULL;
|
|
UNICODE_STRING ClientRealm = {0};
|
|
UNICODE_STRING ReferralRealm = {0};
|
|
BOOLEAN ClientReferral = FALSE;
|
|
HANDLE TokenHandle = NULL;
|
|
PSID UserSid = NULL;
|
|
UNICODE_STRING UClientName = {0};
|
|
UNICODE_STRING UClientDomain = {0};
|
|
UNICODE_STRING UClientNetBiosDomain = {0};
|
|
|
|
SAM_CLIENT_INFO SamClientInfoBuffer;
|
|
PSAM_CLIENT_INFO SamClientInfo = NULL;
|
|
|
|
KDC_CHANGEPASS_INFO ChangePassTraceInfo;
|
|
if( KdcEventTraceFlag ) // Event Trace: KerbChangePasswordStart {No Data}
|
|
{
|
|
ChangePassTraceInfo.EventTrace.Guid = KdcChangePassGuid;
|
|
ChangePassTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_START;
|
|
ChangePassTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID;
|
|
ChangePassTraceInfo.EventTrace.Size = sizeof(EVENT_TRACE_HEADER);
|
|
|
|
TraceEvent( KdcTraceLoggerHandle, (PEVENT_TRACE_HEADER)&ChangePassTraceInfo );
|
|
}
|
|
|
|
Status = EnterApiCall();
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
return(Status);
|
|
}
|
|
|
|
if (InputMessage->BufferSize < sizeof(KERB_KPASSWD_REQ))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Bad message size to KdcChangePassword: %d\n",InputMessage->BufferSize));
|
|
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
|
|
KerbErr = KDC_ERR_NO_RESPONSE;
|
|
goto NoMsgResponse;
|
|
}
|
|
|
|
Request = (PKERB_KPASSWD_REQ) InputMessage->Buffer;
|
|
//
|
|
// Verify the length & protocol version
|
|
//
|
|
|
|
GET_SHORT(MessageLength, Request->MessageLength);
|
|
GET_SHORT(ProtocolVersion, Request->Version);
|
|
|
|
if (ProtocolVersion == KERB_KPASSWD_SET_VERSION)
|
|
{
|
|
//
|
|
// This is the advanced protocol
|
|
//
|
|
|
|
DoPasswordSet = TRUE;
|
|
}
|
|
else if (ProtocolVersion != KERB_KPASSWD_VERSION)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Bad version passed to KdcChangePassword: %d\n",
|
|
ProtocolVersion ));
|
|
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
|
|
KerbErr = KDC_ERR_NO_RESPONSE;
|
|
goto NoMsgResponse;
|
|
}
|
|
|
|
if ((ULONG)MessageLength != InputMessage->BufferSize)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Bad length passed to KdcChangePassword: %d instead of %d\n",
|
|
MessageLength, InputMessage->BufferSize ));
|
|
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
|
|
KerbErr = KDC_ERR_NO_RESPONSE;
|
|
goto NoMsgResponse;
|
|
}
|
|
|
|
//
|
|
// Unpack the AP request
|
|
//
|
|
|
|
GET_SHORT(ApReqLength, Request->ApReqLength);
|
|
|
|
if (FIELD_OFFSET(KERB_KPASSWD_REQ, ApReqLength) + ApReqLength > MessageLength)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"ApReqLength in kpasswd request bad: %d\n",ApReqLength));
|
|
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
|
|
KerbErr = KDC_ERR_NO_RESPONSE;
|
|
goto NoMsgResponse;
|
|
}
|
|
|
|
//
|
|
// Verify the AP request
|
|
//
|
|
|
|
KerbErr = KdcVerifyKdcRequest(
|
|
Request->Data,
|
|
ApReqLength,
|
|
ClientAddress,
|
|
FALSE, // this is not a kdc request
|
|
NULL,
|
|
&Authenticator,
|
|
&EncryptedTicket,
|
|
&SessionKey,
|
|
&ServerKey,
|
|
&ServerTicketInfo,
|
|
&UseSubKey,
|
|
pExtendedError
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
if (KerbErr == KDC_ERR_NO_RESPONSE)
|
|
{
|
|
goto NoMsgResponse;
|
|
}
|
|
|
|
DebugLog((DEB_WARN,"Failed to unpack AP req in kpasswd request: 0x%x\n",
|
|
KerbErr ));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// The spec says the client has to ask for a sub key.
|
|
//
|
|
|
|
if (!UseSubKey)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"The client of kpasswd did not ask for a sub key.\n"));
|
|
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
|
|
KerbErr = KRB_ERR_GENERIC;
|
|
goto Cleanup;
|
|
}
|
|
|
|
|
|
//
|
|
// The name of the principal must be correct.
|
|
//
|
|
// WAS BUG: check by RID
|
|
//
|
|
|
|
if (ServerTicketInfo.UserId != DOMAIN_USER_RID_KRBTGT)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Wrong principal for kpasswd: %wZ\n",
|
|
&ServerTicketInfo.AccountName ));
|
|
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
|
|
KerbErr = KRB_AP_ERR_NOT_US;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now try to unpack the KERB_PRIV
|
|
//
|
|
|
|
PrivLength = MessageLength - (ApReqLength + FIELD_OFFSET(KERB_KPASSWD_REQ, Data));
|
|
KerbErr = KerbUnpackData(
|
|
Request->Data + ApReqLength,
|
|
PrivLength,
|
|
KERB_PRIV_MESSAGE_PDU,
|
|
(PVOID *) &PrivMessage
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to decode priv message in kpasswd req: 0x%x\n",KerbErr));
|
|
FILL_EXT_ERROR(pExtendedError, STATUS_KDC_INVALID_REQUEST, FILENO, __LINE__);
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now decrypt the KERB_PRIV message
|
|
//
|
|
|
|
if (PrivMessage->version != KERBEROS_VERSION)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Bad version in kpasswd priv message: %d\n",
|
|
PrivMessage->version ));
|
|
KerbErr = KRB_AP_ERR_BADVERSION;
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (PrivMessage->message_type != KRB_PRIV)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Bad message type in kpasswd priv message: %d\n",
|
|
PrivMessage->message_type ));
|
|
KerbErr = KRB_ERR_GENERIC;
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbErr = KerbDecryptDataEx(
|
|
&PrivMessage->encrypted_part,
|
|
&SessionKey,
|
|
KERB_PRIV_SALT,
|
|
(PULONG) &PrivMessage->encrypted_part.cipher_text.length,
|
|
PrivMessage->encrypted_part.cipher_text.value
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to decrypt priv message from kpasswd: 0x%x\n",
|
|
KerbErr));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Now decode the kerb priv body
|
|
//
|
|
|
|
KerbErr = KerbUnpackData(
|
|
PrivMessage->encrypted_part.cipher_text.value,
|
|
(ULONG) PrivMessage->encrypted_part.cipher_text.length,
|
|
KERB_ENCRYPTED_PRIV_PDU,
|
|
(PVOID *) &PrivBody
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to unpack priv body from kpasswd: 0x%x\n",
|
|
KerbErr));
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Verify the client's address
|
|
//
|
|
// NOTE: the check mandated by RFC1510 can be thwarted by a registry setting
|
|
// (KdcDontCheckAddresses) to allow seamless operation through NATs
|
|
//
|
|
|
|
if (ARGUMENT_PRESENT(ClientAddress) &&
|
|
!KdcDontCheckAddresses)
|
|
{
|
|
KERB_HOST_ADDRESSES Addresses;
|
|
//
|
|
// Build a host_addresses structure because the caller sent a single
|
|
// address.
|
|
//
|
|
|
|
Addresses.next = NULL;
|
|
Addresses.value.address_type = PrivBody->sender_address.addr_type;
|
|
Addresses.value.address.value = PrivBody->sender_address.address.value;
|
|
Addresses.value.address.length = PrivBody->sender_address.address.length;
|
|
|
|
if ( !KerbVerifyClientAddress(
|
|
ClientAddress,
|
|
&Addresses
|
|
))
|
|
{
|
|
KerbErr = KRB_AP_ERR_BADADDR;
|
|
D_DebugLog((DEB_ERROR,"Client sent kpasswd request with wrong address\n"));
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Now, we should have a password
|
|
//
|
|
|
|
if (DoPasswordSet)
|
|
{
|
|
//
|
|
// Unpack the chaneg password data in the priv body.
|
|
//
|
|
|
|
KerbErr = KerbUnpackData(
|
|
PrivBody->user_data.value,
|
|
PrivBody->user_data.length,
|
|
KERB_CHANGE_PASSWORD_DATA_PDU,
|
|
(PVOID *) &ChangeData
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Failed to unpack password change data from kpasswd: 0x%x\n",
|
|
KerbErr));
|
|
goto Cleanup;
|
|
}
|
|
|
|
if (ChangeData->new_password.length > SHRT_MAX / 2)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Password length too long: %d\n",
|
|
ChangeData->new_password.length ));
|
|
KerbErr = KRB_ERR_FIELD_TOOLONG;
|
|
goto Cleanup;
|
|
}
|
|
AnsiPassword.Length = (USHORT)ChangeData->new_password.length;
|
|
AnsiPassword.MaximumLength = AnsiPassword.Length;
|
|
AnsiPassword.Buffer = (PCHAR) ChangeData->new_password.value;
|
|
|
|
KerbErr = KerbStringToUnicodeString(
|
|
&Password,
|
|
&AnsiPassword
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// if the target name and realm aren't present, this is a
|
|
// change password
|
|
//
|
|
|
|
if ((ChangeData->bit_mask & (target_name_present | target_realm_present)) !=
|
|
(target_name_present | target_realm_present))
|
|
{
|
|
DoPasswordSet = FALSE;
|
|
}
|
|
else
|
|
{
|
|
//
|
|
// Get the names from the change data
|
|
//
|
|
|
|
KerbErr = KerbConvertPrincipalNameToKdcName(
|
|
&ClientName,
|
|
&ChangeData->target_name
|
|
);
|
|
if (!NT_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbErr = KerbConvertRealmToUnicodeString(
|
|
&ClientRealm,
|
|
&ChangeData->target_realm
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
if (!DoPasswordSet)
|
|
{
|
|
//
|
|
// The spec says the ticket must be an initial ticket for a
|
|
// change.
|
|
//
|
|
|
|
TicketFlags = KerbConvertFlagsToUlong(&EncryptedTicket->flags);
|
|
if ((TicketFlags & KERB_TICKET_FLAGS_initial) == 0)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Ticket to kpasswd was not initial\n"));
|
|
KerbErr = KRB_ERR_GENERIC;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// NOTE: verify other kerb-priv fields here
|
|
// Current ID doesn't require other kerb priv fields, so
|
|
// this is a no-op. If things change, however, we'll need
|
|
// to add code here.
|
|
//
|
|
//
|
|
// If we didn't get a password from the change password data,
|
|
// get it directly from the data
|
|
//
|
|
|
|
if (Password.Buffer == NULL)
|
|
{
|
|
|
|
//
|
|
// The password has to fit in a unicode string, so it can't be longer
|
|
// than half a ushort.
|
|
//
|
|
|
|
if (PrivBody->user_data.length > SHRT_MAX / 2)
|
|
{
|
|
D_DebugLog((DEB_ERROR,"Password length too long: %d\n",
|
|
PrivBody->user_data.length ));
|
|
KerbErr = KRB_ERR_FIELD_TOOLONG;
|
|
goto Cleanup;
|
|
}
|
|
AnsiPassword.Length = (USHORT)PrivBody->user_data.length;
|
|
AnsiPassword.MaximumLength = AnsiPassword.Length;
|
|
AnsiPassword.Buffer = (PCHAR) PrivBody->user_data.value;
|
|
|
|
KerbErr = KerbStringToUnicodeString(
|
|
&Password,
|
|
&AnsiPassword
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
}
|
|
|
|
KerbErr = KerbConvertPrincipalNameToKdcName(
|
|
&ClientName,
|
|
&EncryptedTicket->client_name
|
|
);
|
|
if (!NT_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
|
|
KerbErr = KerbConvertRealmToUnicodeString(
|
|
&ClientRealm,
|
|
&EncryptedTicket->client_realm
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
//
|
|
// Get the client ticket info so we can do a set pass
|
|
//
|
|
|
|
KerbErr = KdcNormalize(
|
|
ClientName,
|
|
NULL,
|
|
&ClientRealm,
|
|
NULL,
|
|
KDC_NAME_CLIENT,
|
|
FALSE, // do not restrict user accounts (user2user)
|
|
&ClientReferral,
|
|
&ReferralRealm,
|
|
&ClientTicketInfo,
|
|
pExtendedError,
|
|
NULL, // no UserHandle
|
|
0L, // no fields to fetch
|
|
0L, // no extended fields
|
|
NULL, // no fields to fetch
|
|
NULL // no GroupMembership
|
|
);
|
|
if (!KERB_SUCCESS(KerbErr))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to normalize name "));
|
|
KerbPrintKdcName(DEB_ERROR,ClientName);
|
|
goto Cleanup;
|
|
}
|
|
|
|
{
|
|
LUID LogonId = LOCALSERVICE_LUID; // not usable by S4uProxy
|
|
|
|
Status = KerbCreateTokenFromTicket(
|
|
&LogonId,
|
|
NULL,
|
|
EncryptedTicket,
|
|
Authenticator,
|
|
0, // no flags
|
|
&ServerKey,
|
|
SecData.KdcDnsRealmName(),
|
|
&SessionKey,
|
|
&LogonId,
|
|
&UserSid,
|
|
&TokenHandle,
|
|
&UClientName,
|
|
&UClientDomain,
|
|
&UClientNetBiosDomain,
|
|
NULL // not interested s4u delegation info
|
|
);
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to create token from ticket: 0x%x\n",Status));
|
|
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
|
|
KerbErr = KRB_ERR_GENERIC;
|
|
goto Cleanup;
|
|
}
|
|
|
|
//
|
|
// Setup the client info
|
|
//
|
|
|
|
if ( (ClientAddress == NULL)
|
|
|| (ClientAddress->sa_family == AF_INET) ) {
|
|
// Set to local address (known to be 4 bytes) or IP address
|
|
RtlZeroMemory(&SamClientInfoBuffer, sizeof(SamClientInfoBuffer));
|
|
SamClientInfoBuffer.Type = SamClientIpAddr;
|
|
SamClientInfoBuffer.Data.IpAddr = *((ULONG*)GET_CLIENT_ADDRESS(ClientAddress));
|
|
SamClientInfo = &SamClientInfoBuffer;
|
|
}
|
|
|
|
//
|
|
// Store the password on the user's account
|
|
//
|
|
|
|
//
|
|
// We shouldn't enforce password policy restrictions if we do a password SET
|
|
//
|
|
|
|
if (!DoPasswordSet)
|
|
{
|
|
Status = SamIChangePasswordForeignUser2(
|
|
SamClientInfo,
|
|
&ClientTicketInfo.AccountName,
|
|
&Password,
|
|
TokenHandle,
|
|
USER_CHANGE_PASSWORD
|
|
);
|
|
|
|
} else {
|
|
|
|
Status = SamISetPasswordForeignUser2(
|
|
SamClientInfo,
|
|
&ClientTicketInfo.AccountName,
|
|
&Password,
|
|
TokenHandle
|
|
);
|
|
|
|
}
|
|
|
|
if (!NT_SUCCESS(Status))
|
|
{
|
|
DebugLog((DEB_ERROR,"Failed to change password for user %wZ: 0x%x\n",
|
|
&ClientTicketInfo.AccountName, Status ));
|
|
FILL_EXT_ERROR(pExtendedError, Status, FILENO, __LINE__);
|
|
KerbErr = KDC_ERR_POLICY;
|
|
goto Cleanup;
|
|
}
|
|
}
|
|
|
|
Cleanup:
|
|
|
|
//
|
|
// Free all the memory returned
|
|
//
|
|
|
|
KerbFree(UClientName.Buffer);
|
|
KerbFree(UClientDomain.Buffer);
|
|
KerbFreeString(&UClientNetBiosDomain);
|
|
|
|
if (UserSid)
|
|
{
|
|
KerbFree(UserSid);
|
|
}
|
|
|
|
KerbErr = KdcBuildKpasswdResponse(
|
|
EncryptedTicket,
|
|
Authenticator,
|
|
&SessionKey,
|
|
ServerAddress,
|
|
Status,
|
|
KerbErr,
|
|
pExtendedError,
|
|
OutputMessage
|
|
);
|
|
|
|
NoMsgResponse:
|
|
|
|
|
|
if ( KdcEventTraceFlag ) // Event Trace: KdcChangePasswordEnd {KerbErr, ExtErr, Klininfo, (ClientRealm), (AccountName)}
|
|
{
|
|
INSERT_ULONG_INTO_MOF( KerbErr, ChangePassTraceInfo.MofData, 0 );
|
|
INSERT_ULONG_INTO_MOF( ExtendedError.status, ChangePassTraceInfo.MofData, 1 );
|
|
INSERT_ULONG_INTO_MOF( ExtendedError.klininfo, ChangePassTraceInfo.MofData, 2 );
|
|
|
|
// Protect against uninitialized UNICODE_STRINGs
|
|
|
|
WCHAR UnicodeNullChar = 0;
|
|
UNICODE_STRING UnicodeEmptyString = {sizeof(WCHAR),sizeof(WCHAR),&UnicodeNullChar};
|
|
PUNICODE_STRING pClientRealmTraceString = &ClientRealm;
|
|
PUNICODE_STRING pAccountNameTraceString = &ClientTicketInfo.AccountName;
|
|
|
|
if( ClientRealm.Buffer == NULL || ClientRealm.Length <= 0 )
|
|
pClientRealmTraceString = &UnicodeEmptyString;
|
|
|
|
if( ClientTicketInfo.AccountName.Buffer == NULL || ClientTicketInfo.AccountName.Length <= 0 )
|
|
pAccountNameTraceString = &UnicodeEmptyString;
|
|
|
|
//
|
|
|
|
INSERT_UNICODE_STRING_INTO_MOF( *pClientRealmTraceString, ChangePassTraceInfo.MofData, 3 );
|
|
INSERT_UNICODE_STRING_INTO_MOF( *pAccountNameTraceString, ChangePassTraceInfo.MofData, 5 );
|
|
|
|
ChangePassTraceInfo.EventTrace.Size = sizeof(EVENT_TRACE_HEADER) + 7*sizeof(MOF_FIELD);
|
|
|
|
ChangePassTraceInfo.EventTrace.Guid = KdcChangePassGuid;
|
|
ChangePassTraceInfo.EventTrace.Class.Type = EVENT_TRACE_TYPE_END;
|
|
ChangePassTraceInfo.EventTrace.Flags = WNODE_FLAG_TRACED_GUID | WNODE_FLAG_USE_MOF_PTR;
|
|
|
|
TraceEvent( KdcTraceLoggerHandle, (PEVENT_TRACE_HEADER)&ChangePassTraceInfo );
|
|
}
|
|
|
|
if (KerbErr == KDC_ERR_NO_RESPONSE)
|
|
{
|
|
KdcReportInvalidMessage(KDCEVENT_MALFORMED_MESSAGE, L"changepassword");
|
|
}
|
|
|
|
KerbFreeKey( &SessionKey );
|
|
KerbFreeKey( &ServerKey );
|
|
KerbFreeTicket(EncryptedTicket);
|
|
FreeTicketInfo(&ServerTicketInfo);
|
|
FreeTicketInfo(&ClientTicketInfo);
|
|
KerbFreeData(KERB_PRIV_MESSAGE_PDU, PrivMessage);
|
|
KerbFreeData(KERB_ENCRYPTED_PRIV_PDU, PrivBody);
|
|
KerbFreeData(KERB_CHANGE_PASSWORD_DATA_PDU, ChangeData);
|
|
KerbFreeString(&Password);
|
|
KerbFreeAuthenticator(Authenticator);
|
|
|
|
KerbFreeKdcName(&ClientName);
|
|
KerbFreeString(&ClientRealm);
|
|
KerbFreeString(&ReferralRealm);
|
|
|
|
if (TokenHandle != NULL)
|
|
{
|
|
NtClose(TokenHandle);
|
|
}
|
|
|
|
LeaveApiCall();
|
|
|
|
return(KerbErr);
|
|
}
|