Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

559 lines
20 KiB

/*++
Copyright (C) Microsoft Corporation, 1999
Module Name:
mschapp - MS-CHAP Password Change API
Abstract:
These APIs correspond to the MS-CHAP RFC -2433 sections 9 and 10. In order
to develop an MS-CHAP RAS server that works with an NT domain, these APIs
are required.
The MS-CHAP change password APIs are exposed through a DLL that is obtained
from PSS. This DLL is not distributed with NT4.0 or Win2000. It is up to
the ISV to install this with their product. The DLL name is MSCHAPP.DLL.
Only wide (Unicode) versions of these apis will be available. These are the
2 callable APIs:
* MSChapSrvChangePassword
* MsChapSrvChangePassword2
--*/
#define UNICODE
#define _UNICODE
#ifndef WIN32_LEAN_AND_MEAN
#define WIN32_LEAN_AND_MEAN
#endif
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <windows.h>
#include <ntsam.h>
#include <ntsamp.h>
#include <ntlsa.h>
#include <mschapp.h>
//////////////////////////////////////////////////////////////
// //
// //
// Exported MSChap change password Functions //
// //
// //
//////////////////////////////////////////////////////////////
//critical section for MSChap change password functions
CRITICAL_SECTION MSChapChangePassword;
//function pointers for MSChap Functions
HINSTANCE hSamlib = NULL;
typedef NTSTATUS(* FNSAMCONNECT)(PUNICODE_STRING,
PSAM_HANDLE,
ACCESS_MASK,
POBJECT_ATTRIBUTES);
typedef NTSTATUS(* FNSAMOPENDOMAIN)(SAM_HANDLE,
ACCESS_MASK,
PSID,
PSAM_HANDLE);
typedef NTSTATUS(* FNSAMLOOKUPNAMESINDOMAIN)(SAM_HANDLE,ULONG,PUNICODE_STRING,
PULONG*,PSID_NAME_USE *);
typedef NTSTATUS(* FNSAMOPENUSER)(SAM_HANDLE,ACCESS_MASK,ULONG,PSAM_HANDLE);
typedef NTSTATUS(* FNSAMICHANGEPASSWORDUSER)(SAM_HANDLE,BOOLEAN,PLM_OWF_PASSWORD,PLM_OWF_PASSWORD,
BOOLEAN,PNT_OWF_PASSWORD,PNT_OWF_PASSWORD);
typedef NTSTATUS(* FNSAMICHANGEPASSWORDUSER2)(PUNICODE_STRING,
PUNICODE_STRING,
PSAMPR_ENCRYPTED_USER_PASSWORD,
PENCRYPTED_NT_OWF_PASSWORD,
BOOLEAN,PSAMPR_ENCRYPTED_USER_PASSWORD,
PENCRYPTED_LM_OWF_PASSWORD);
typedef NTSTATUS(* FNSAMCLOSEHANDLE)(SAM_HANDLE);
typedef NTSTATUS(* FNSAMFREEMEMORY)(PVOID);
FNSAMCONNECT FnSamConnect = NULL;
FNSAMOPENDOMAIN FnSamOpenDomain = NULL;
FNSAMLOOKUPNAMESINDOMAIN FnSamLookupNamesInDomain = NULL;
FNSAMOPENUSER FnSamOpenUser = NULL;
FNSAMICHANGEPASSWORDUSER FnSamiChangePasswordUser = NULL;
FNSAMICHANGEPASSWORDUSER2 FnSamiChangePasswordUser2 = NULL;
FNSAMCLOSEHANDLE FnSamCloseHandle = NULL;
FNSAMFREEMEMORY FnSamFreeMemory = NULL;
/*++
MSChapSrvChangePassword:
Changes the password of a user account. Password will be set to
NewPassword only if OldPassword matches the current user password for this
user and there are no restrictions on using the new password. This call
allows users to change their own password if they have access
USER_CHANGE_PASSWORD. Password update restrictions apply.
Arguments:
ServerName - The server to operate on, or NULL for this machine.
UserName - Name of user whose password is to be changed
LMOldPresent - TRUE if the LmOldOwfPassword is valid. This should only be
FALSE if the old password is too long to be represented by a LM
password (Complex NT password). Note the LMNewOwfPassword must always
be valid. If the new password is complex, the LMNewOwfPassword should
be the well-known LM OWF of a NULL password.
LmOldOwfPassword - One-way-function of the current LM password for the
user. Ignored if LmOldPresent == FALSE
LmNewOwfPassword - One-way-function of the new LM password for the user.
NtOldOwfPassword - One-way-function of the current NT password for the
user.
NtNewOwfPassword - One-way-function of the new NT password for the user.
Return Value:
STATUS_SUCCESS - The Service completed successfully.
STATUS_ACCESS_DENIED - Caller does not have the appropriate access to
complete the operation.
STATUS_INVALID_HANDLE - The supplied server or username was not valid.
STATUS_ILL_FORMED_PASSWORD - The new password is poorly formed, e.g.
contains characters that can't be entered from the keyboard, etc.
STATUS_PASSWORD_RESTRICTION - A restriction prevents the password from
being changed. This may be for a number of reasons, including time
restrictions on how often a password may be changed or length
restrictions on the provided password. This error might also be
returned if the new password matched a password in the recent history
log for the account. Security administrators indicate how many of the
most recently used passwords may not be re-used. These are kept in
the password recent history log.
STATUS_WRONG_PASSWORD - OldPassword does not contain the user's current
password.
STATUS_INVALID_DOMAIN_STATE - The domain server is not in the correct
state (disabled or enabled) to perform the requested operation. The
domain server must be enabled for this operation
STATUS_INVALID_DOMAIN_ROLE - The domain server is serving the incorrect
role (primary or backup) to perform the requested operation.
STATUS_INVALID_PARAMETER_MIX - LmOldPresent or NtPresent or both must be
TRUE.
--*/
WINADVAPI DWORD WINAPI
MSChapSrvChangePassword(
IN LPWSTR ServerName,
IN LPWSTR UserName,
IN BOOLEAN LmOldPresent,
IN PLM_OWF_PASSWORD LmOldOwfPassword,
IN PLM_OWF_PASSWORD LmNewOwfPassword,
IN PNT_OWF_PASSWORD NtOldOwfPassword,
IN PNT_OWF_PASSWORD NtNewOwfPassword)
{
NTSTATUS Status=STATUS_SUCCESS;
DWORD WinErr=ERROR_SUCCESS;
OBJECT_ATTRIBUTES oa;
UNICODE_STRING UnicodeName;
SAM_HANDLE SamHandle = NULL;
SAM_HANDLE DomainHandle = NULL;
SAM_HANDLE UserHandle = NULL;
LSA_HANDLE LsaHandle = NULL;
PPOLICY_ACCOUNT_DOMAIN_INFO DomainInfo = NULL;
PULONG RelativeIds = NULL;
PSID_NAME_USE Use = NULL;
if (NULL == UserName || NULL == LmOldOwfPassword || NULL == LmNewOwfPassword ||
NULL == NtOldOwfPassword || NULL == NtNewOwfPassword) {
WinErr = ERROR_INVALID_PARAMETER;
goto Cleanup;
}
//
// Initialization.
//
if ( hSamlib == NULL )
{
RtlEnterCriticalSection( &MSChapChangePassword );
if ( hSamlib == NULL )
{
hSamlib = LoadLibrary(L"samlib.dll");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
if (hSamlib != NULL) {
FnSamConnect = (FNSAMCONNECT) GetProcAddress(hSamlib,
"SamConnect");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamOpenDomain = (FNSAMOPENDOMAIN) GetProcAddress(hSamlib,
"SamOpenDomain");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamLookupNamesInDomain = (FNSAMLOOKUPNAMESINDOMAIN) GetProcAddress(hSamlib,
"SamLookupNamesInDomain");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamOpenUser = (FNSAMOPENUSER) GetProcAddress(hSamlib,
"SamOpenUser");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamCloseHandle = (FNSAMCLOSEHANDLE) GetProcAddress(hSamlib,
"SamCloseHandle");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamFreeMemory = (FNSAMFREEMEMORY) GetProcAddress(hSamlib,
"SamFreeMemory");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamiChangePasswordUser = (FNSAMICHANGEPASSWORDUSER) GetProcAddress(hSamlib,
"SamiChangePasswordUser");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamiChangePasswordUser2 = (FNSAMICHANGEPASSWORDUSER2) GetProcAddress(hSamlib,
"SamiChangePasswordUser2");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
}
}
RtlLeaveCriticalSection( &MSChapChangePassword );
}
RtlInitUnicodeString(&UnicodeName, ServerName);
InitializeObjectAttributes(&oa, NULL, 0, NULL, NULL);
//
// Connect to the LSA on the server
//
Status = LsaOpenPolicy(
&UnicodeName,
&oa,
POLICY_VIEW_LOCAL_INFORMATION,
&LsaHandle);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
Status = LsaQueryInformationPolicy(
LsaHandle,
PolicyAccountDomainInformation,
(PVOID *)&DomainInfo);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
Status = FnSamConnect(
&UnicodeName,
&SamHandle,
SAM_SERVER_LOOKUP_DOMAIN,
&oa);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
Status = FnSamOpenDomain(
SamHandle,
DOMAIN_LOOKUP | DOMAIN_READ_PASSWORD_PARAMETERS | DOMAIN_READ_PASSWORD_PARAMETERS,
DomainInfo->DomainSid,
&DomainHandle);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
RtlInitUnicodeString(
&UnicodeName,
UserName);
Status = FnSamLookupNamesInDomain(
DomainHandle,
1,
&UnicodeName,
&RelativeIds,
&Use);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
if (Use[0] != SidTypeUser)
{
WinErr = ERROR_INVALID_SID;
goto Cleanup;
}
Status = FnSamOpenUser(
DomainHandle,
USER_CHANGE_PASSWORD,
RelativeIds[0],
&UserHandle);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
Status = FnSamiChangePasswordUser(
UserHandle,
LmOldPresent, // Only false if Old password too complex
LmOldOwfPassword,
LmNewOwfPassword,
TRUE, // NT password present
NtOldOwfPassword,
NtNewOwfPassword);
if (!NT_SUCCESS(Status))
{
goto Cleanup;
}
Cleanup:
if (LsaHandle != NULL)
{
LsaClose(LsaHandle);
}
if (UserHandle != NULL)
{
FnSamCloseHandle(UserHandle);
}
if (DomainHandle != NULL)
{
FnSamCloseHandle(DomainHandle);
}
if (SamHandle != NULL)
{
FnSamCloseHandle(SamHandle);
}
if (DomainInfo != NULL)
{
LsaFreeMemory(DomainInfo);
}
if (RelativeIds != NULL)
{
FnSamFreeMemory(RelativeIds);
}
if (Use != NULL)
{
FnSamFreeMemory(Use);
}
if (ERROR_SUCCESS != WinErr) {
return WinErr;
}
return RtlNtStatusToDosError(Status);
}
/*++
MSChapSrvChangePassword2:
Changes the password of a user account. Password will be set to
NewPassword only if OldPassword matches the current user password for this
user and there are no restrictions on using the new password. This call
allows users to change their own password if they have access
USER_CHANGE_PASSWORD. Password update restrictions apply.
Arguments:
ServerName - The server to operate on, or NULL for this machine.
UserName - Name of user whose password is to be changed
NewPasswordEncryptedWithOldNt - The new cleartext password encrypted with
the old NT OWF password.
OldNtOwfPasswordEncryptedWithNewNt - The old NT OWF password encrypted
with the new NT OWF password.
LmPresent - If TRUE, indicates that the following two last parameter was
encrypted with the LM OWF password not the NT OWF password.
NewPasswordEncryptedWithOldLm - The new cleartext password encrypted with
the old LM OWF password.
OldLmOwfPasswordEncryptedWithNewLmOrNt - The old LM OWF password encrypted
with the new LM OWF password.
Return Value:
STATUS_SUCCESS - The Service completed successfully.
STATUS_ACCESS_DENIED - Caller does not have the appropriate access to
complete the operation.
STATUS_INVALID_HANDLE - The supplied server or username was not valid.
STATUS_ILL_FORMED_PASSWORD - The new password is poorly formed, e.g.
contains characters that can't be entered from the keyboard, etc.
STATUS_PASSWORD_RESTRICTION - A restriction prevents the password from
being changed. This may be for a number of reasons, including time
restrictions on how often a password may be changed or length
restrictions on the provided password. This error might also be
returned if the new password matched a password in the recent history
log for the account. Security administrators indicate how many of the
most recently used passwords may not be re-used. These are kept in
the password recent history log.
STATUS_WRONG_PASSWORD - OldPassword does not contain the user's current
password.
STATUS_INVALID_DOMAIN_STATE - The domain server is not in the correct
state (disabled or enabled) to perform the requested operation. The
domain server must be enabled for this operation.
STATUS_INVALID_DOMAIN_ROLE - The domain server is serving the incorrect
role (primary or backup) to perform the requested operation.
--*/
WINADVAPI DWORD WINAPI
MSChapSrvChangePassword2(
IN LPWSTR ServerName,
IN LPWSTR UserName,
IN PSAMPR_ENCRYPTED_USER_PASSWORD NewPasswordEncryptedWithOldNt,
IN PENCRYPTED_NT_OWF_PASSWORD OldNtOwfPasswordEncryptedWithNewNt,
IN BOOLEAN LmPresent,
IN PSAMPR_ENCRYPTED_USER_PASSWORD NewPasswordEncryptedWithOldLm,
IN PENCRYPTED_LM_OWF_PASSWORD OldLmOwfPasswordEncryptedWithNewLmOrNt)
{
UNICODE_STRING UnicodeServer;
UNICODE_STRING UnicodeUser;
DWORD WinErr = ERROR_SUCCESS;
if (NULL == UserName || NULL == NewPasswordEncryptedWithOldNt ||
NULL == NewPasswordEncryptedWithOldLm || NULL ==OldNtOwfPasswordEncryptedWithNewNt ||
NULL == OldLmOwfPasswordEncryptedWithNewLmOrNt) {
WinErr = ERROR_INVALID_PARAMETER;
goto Cleanup;
}
//
// Initialization.
//
if ( hSamlib == NULL )
{
RtlEnterCriticalSection( &MSChapChangePassword );
if ( hSamlib == NULL )
{
hSamlib = LoadLibrary(L"samlib.dll");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
if (hSamlib != NULL) {
FnSamConnect = (FNSAMCONNECT) GetProcAddress(hSamlib,
"SamConnect");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamOpenDomain = (FNSAMOPENDOMAIN) GetProcAddress(hSamlib,
"SamOpenDomain");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamLookupNamesInDomain = (FNSAMLOOKUPNAMESINDOMAIN) GetProcAddress(hSamlib,
"SamLookupNamesInDomain");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamOpenUser = (FNSAMOPENUSER) GetProcAddress(hSamlib,
"SamOpenUser");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamCloseHandle = (FNSAMCLOSEHANDLE) GetProcAddress(hSamlib,
"SamCloseHandle");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamFreeMemory = (FNSAMFREEMEMORY) GetProcAddress(hSamlib,
"SamFreeMemory");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamiChangePasswordUser = (FNSAMICHANGEPASSWORDUSER) GetProcAddress(hSamlib,
"SamiChangePasswordUser");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
FnSamiChangePasswordUser2 = (FNSAMICHANGEPASSWORDUSER2) GetProcAddress(hSamlib,
"SamiChangePasswordUser2");
WinErr = GetLastError();
if (ERROR_SUCCESS != WinErr) {
goto Cleanup;
}
}
}
RtlLeaveCriticalSection( &MSChapChangePassword );
}
RtlInitUnicodeString(&UnicodeServer, ServerName);
RtlInitUnicodeString(&UnicodeUser, UserName);
return RtlNtStatusToDosError(FnSamiChangePasswordUser2(&UnicodeServer,
&UnicodeUser,
NewPasswordEncryptedWithOldNt,
OldNtOwfPasswordEncryptedWithNewNt,
LmPresent,
NewPasswordEncryptedWithOldLm,
OldLmOwfPasswordEncryptedWithNewLmOrNt));
Cleanup:
return WinErr;
}