archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
8 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 744f0b4006
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '744f0b4006'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/netapi/netlib/joincrypt.c

591 lines
14 KiB
Raw Normal View History

Add source files
4 years ago
  1. /*++
  3. Copyright (c) 1987-1996 Microsoft Corporation
  5. Module Name:
  7. joincrypt.c
  9. Abstract:
  11. Authentication related functions required by netjoin
  13. Author:
  15. kumarp 29-May-1999
  17. Notes:
  18. The functions in this file used to be made avaialbe by
  19. including net\svcdlls\logonsrv\server\ssiauth.c. This led to several
  20. problems due to which, the functions are now copied from that file
  21. into this separate file.
  23. --*/
  26. #pragma hdrstop
  28. #define WKSTA_NETLOGON
  29. #define NETSETUP_JOIN
  31. #include <netsetp.h>
  32. #include <crypt.h>
  33. #include <ntsam.h>
  34. #include <logonmsv.h>
  35. #include <lmshare.h>
  36. #include <wincrypt.h>
  37. #include <netlogon.h>
  38. #include <logonp.h>
  39. #include <logonmsv.h>
  40. #include <ssi.h>
  41. #include <wchar.h>
  42. #include "joinp.h"
  44. LONG NlGlobalSessionCounter = 0;
  45. HCRYPTPROV NlGlobalCryptProvider = (HCRYPTPROV)NULL;
  48. #define NlPrint(x)
  49. #define NlpDumpBuffer(x,y,z)
  51. BOOLEAN
  52. NlGenerateRandomBits(
  53. PUCHAR Buffer,
  54. ULONG BufferLen
  55. );
  56. #define NlQuerySystemTime( _Time ) GetSystemTimeAsFileTime( (LPFILETIME)(_Time) )
  59. VOID
  60. NlComputeChallenge(
  61. OUT PNETLOGON_CREDENTIAL Challenge
  62. );
  64. VOID
  65. NlComputeCredentials(
  66. IN PNETLOGON_CREDENTIAL Challenge,
  67. OUT PNETLOGON_CREDENTIAL Credential,
  68. IN PNETLOGON_SESSION_KEY SessionKey
  69. );
  73. NTSTATUS
  74. NlMakeSessionKey(
  75. IN ULONG NegotiatedFlags,
  76. IN PNT_OWF_PASSWORD CryptKey,
  77. IN PNETLOGON_CREDENTIAL ClientChallenge,
  78. IN PNETLOGON_CREDENTIAL ServerChallenge,
  79. OUT PNETLOGON_SESSION_KEY SessionKey
  80. )
  81. /*++
  83. Routine Description:
  85. Build an encryption key for use in authentication for
  86. this RequestorName.
  88. Arguments:
  90. NegotiatedFlags - Determines the strength of the key.
  92. CryptKey -- The OWF password of the user account being used.
  94. ClientChallenge -- 8 byte (64 bit) number generated by caller
  96. ServerChallenge -- 8 byte (64 bit) number generated by primary
  98. SessionKey -- 16 byte (128 bit) number generated at both ends
  99. If the key strength is weak, the last 64 bits will be zero.
  101. Return Value:
  103. TRUE: Success
  104. FALSE: Failure
  106. NT status code.
  108. --*/
  109. {
  110. NTSTATUS Status;
  111. BLOCK_KEY BlockKey;
  112. NETLOGON_SESSION_KEY TempSessionKey;
  114. #ifndef NETSETUP_JOIN
  115. PCHECKSUM_BUFFER CheckBuffer = NULL;
  116. PCHECKSUM_FUNCTION Check;
  117. #endif // NETSETUP_JOIN
  119. //
  120. // Start with a zero key
  121. //
  122. RtlZeroMemory(SessionKey, sizeof(NETLOGON_SESSION_KEY));
  124. #ifdef NETSETUP_JOIN
  125. UNREFERENCED_PARAMETER( NegotiatedFlags );
  126. #else // NETSETUP_JOIN
  127. //
  128. // If the caller wants a strong key,
  129. // Compute it.
  130. //
  131. if ( NegotiatedFlags & NETLOGON_SUPPORTS_STRONG_KEY ) {
  133. // PCRYPTO_SYSTEM CryptSystem;
  135. UCHAR LocalChecksum[sizeof(*SessionKey)];
  136. // ULONG OutputSize;
  138. //
  139. // Initialize the checksum routines.
  140. //
  142. Status = CDLocateCheckSum( KERB_CHECKSUM_MD5_HMAC, &Check);
  143. if (!NT_SUCCESS(Status)) {
  144. NlPrint(( NL_CRITICAL,"NlMakeSessionKey: Failed to load checksum routines: 0x%x\n", Status));
  145. goto Cleanup;
  146. }
  148. ASSERT(Check->CheckSumSize <= sizeof(LocalChecksum));
  150. Status = Check->InitializeEx(
  151. (LPBYTE)CryptKey,
  152. sizeof( *CryptKey ),
  153. 0, // no message type
  154. &CheckBuffer );
  156. if (!NT_SUCCESS(Status)) {
  157. NlPrint(( NL_CRITICAL,"NlMakeSessionKey: Failed to initialize checksum routines: 0x%x\n", Status));
  158. goto Cleanup;
  159. }
  162. //
  163. // Sum in the client challenge, a constant, and the server challenge
  164. //
  166. Check->Sum( CheckBuffer,
  167. sizeof(*ClientChallenge),
  168. (PUCHAR)ClientChallenge );
  170. Check->Sum( CheckBuffer,
  171. sizeof(*ServerChallenge),
  172. (PUCHAR)ServerChallenge );
  174. //
  175. // Finish the checksum
  176. //
  178. (void) Check->Finalize(CheckBuffer, LocalChecksum);
  181. //
  182. // Copy the checksum into the message.
  183. //
  185. ASSERT( sizeof(LocalChecksum) >= sizeof(*SessionKey) );
  186. RtlCopyMemory( SessionKey, LocalChecksum, sizeof(*SessionKey) );
  189. //
  190. // Compute weaker (but backward compatible key)
  191. //
  192. } else {
  193. #endif // NETSETUP_JOIN
  195. //
  196. // we will have a 128 bit key (64 bit encrypted rest padded with 0s)
  197. //
  198. // SessionKey = C + P (arithmetic sum ignore carry)
  199. //
  201. *((unsigned long * ) SessionKey) =
  202. *((unsigned long * ) ClientChallenge) +
  203. *((unsigned long * ) ServerChallenge);
  205. *((unsigned long * )((LPBYTE)SessionKey + 4)) =
  206. *((unsigned long * )((LPBYTE)ClientChallenge + 4)) +
  207. *((unsigned long * )((LPBYTE)ServerChallenge + 4));
  210. //
  211. // CryptKey is our 16 byte key to be used as described in codespec
  212. // use first 7 bytes of CryptKey for first encryption
  213. //
  215. RtlCopyMemory( &BlockKey, CryptKey, BLOCK_KEY_LENGTH );
  217. Status = RtlEncryptBlock(
  218. (PCLEAR_BLOCK) SessionKey, // Clear text
  219. &BlockKey, // Key
  220. (PCYPHER_BLOCK) &TempSessionKey); // Cypher Block
  222. if ( !NT_SUCCESS( Status ) ) {
  223. goto Cleanup;
  224. }
  227. //
  228. // Further encrypt the encrypted "SessionKey" using upper 7 bytes
  229. //
  231. ASSERT( LM_OWF_PASSWORD_LENGTH == 2*BLOCK_KEY_LENGTH+2 );
  233. RtlCopyMemory( &BlockKey,
  234. ((PUCHAR)CryptKey) + 2 + BLOCK_KEY_LENGTH,
  235. BLOCK_KEY_LENGTH );
  237. Status = RtlEncryptBlock(
  238. (PCLEAR_BLOCK) &TempSessionKey, // Clear text
  239. &BlockKey, // Key
  240. (PCYPHER_BLOCK) SessionKey); // Cypher Block
  242. if ( !NT_SUCCESS( Status ) ) {
  243. goto Cleanup;
  244. }
  245. #ifndef NETSETUP_JOIN
  246. }
  247. #endif // NETSETUP_JOIN
  249. Cleanup:
  250. #ifndef NETSETUP_JOIN
  251. if (CheckBuffer != NULL) {
  252. Status = Check->Finish(&CheckBuffer);
  254. if (!NT_SUCCESS(Status)) {
  255. NlPrint(( NL_CRITICAL,"NlMakeSessionKey: Failed to finish checksum: 0x%x\n", Status));
  256. }
  257. }
  258. #endif // NETSETUP_JOIN
  260. return Status;
  261. }
  264. VOID
  265. NlComputeChallenge(
  266. OUT PNETLOGON_CREDENTIAL Challenge
  267. )
  269. /*++
  271. Routine Description:
  273. Generates a 64 bit challenge
  275. Arguments:
  277. Challenge - Returns the computed challenge
  279. Return Value:
  281. None.
  283. --*/
  284. {
  286. //
  287. // Use an ideal random bit generator.
  288. //
  290. if (!NlGenerateRandomBits( (LPBYTE)Challenge, sizeof(*Challenge) )) {
  291. NlPrint((NL_CRITICAL, "Can't NlGenerateRandomBits\n" ));
  292. }
  294. return;
  295. }
  297. VOID
  298. NlComputeCredentials(
  299. IN PNETLOGON_CREDENTIAL Challenge,
  300. OUT PNETLOGON_CREDENTIAL Credential,
  301. IN PNETLOGON_SESSION_KEY SessionKey
  302. )
  303. /*++
  305. Routine Description:
  307. Calculate the credentials by encrypting the 8 byte
  308. challenge with first 7 bytes of sessionkey and then
  309. further encrypting it by next 7 bytes of sessionkey.
  311. Arguments:
  313. Challenge - Supplies the 8 byte (64 bit) challenge
  315. Credential - Returns the 8 byte (64 bit) number generated
  317. SessionKey - Supplies 14 byte (112 bit) encryption key
  318. The buffer is 16 bytes (128 bits) long. For a weak key, the trailing 8 bytes
  319. are zero. For a strong key, this routine ingored that trailing 2 bytes of
  320. useful key.
  322. Return Value:
  324. NONE
  326. --*/
  327. {
  328. NTSTATUS Status;
  329. BLOCK_KEY BlockKey;
  330. CYPHER_BLOCK IntermediateBlock;
  332. RtlZeroMemory(Credential, sizeof(*Credential));
  334. //
  335. // use first 7 bytes of SessionKey for first encryption
  336. //
  338. RtlCopyMemory( &BlockKey, SessionKey, BLOCK_KEY_LENGTH );
  340. Status = RtlEncryptBlock( (PCLEAR_BLOCK) Challenge, // Cleartext
  341. &BlockKey, // Key
  342. &IntermediateBlock ); // Cypher Block
  344. ASSERT( NT_SUCCESS(Status) );
  346. //
  347. // further encrypt the encrypted Credential using next 7 bytes
  348. //
  350. RtlCopyMemory( &BlockKey,
  351. ((PUCHAR)SessionKey) + BLOCK_KEY_LENGTH,
  352. BLOCK_KEY_LENGTH );
  354. Status = RtlEncryptBlock( (PCLEAR_BLOCK) &IntermediateBlock, // Cleartext
  355. &BlockKey, // Key
  356. Credential ); // Cypher Block
  358. ASSERT( NT_SUCCESS(Status) );
  360. return;
  362. }
  364. BOOLEAN
  365. NlGenerateRandomBits(
  366. PUCHAR Buffer,
  367. ULONG BufferLen
  368. )
  369. /*++
  371. Routine Description:
  373. Generates random bits
  375. Arguments:
  377. pBuffer - Buffer to fill
  379. cbBuffer - Number of bytes in buffer
  381. Return Value:
  383. Status of the operation.
  385. --*/
  387. {
  388. if( !CryptGenRandom( NlGlobalCryptProvider, BufferLen, ( LPBYTE )Buffer ) )
  389. {
  390. NlPrint((NL_CRITICAL, "CryptGenRandom failed with %lu\n", GetLastError() ));
  391. return FALSE;
  392. }
  394. return TRUE;
  395. }
  399. NET_API_STATUS
  400. NET_API_FUNCTION
  401. NetpValidateMachineAccount(
  402. IN LPWSTR lpDc,
  403. IN LPWSTR lpDomain,
  404. IN LPWSTR lpMachine,
  405. IN LPWSTR lpPassword
  406. )
  407. /*++
  409. Routine Description:
  411. Performs validation that the machine account exists and has the same password we expect
  413. The internals of this function were lifted completely from SimulateFullSync() in
  414. ..\svcdlls\logonsrv\server\nltest.c,
  416. Arguments:
  418. lpDc -- Name of the Dc
  419. lpDomain -- Name of the domain
  420. lpMachine -- Current machine
  421. lpPassword -- Password that should be on the account.
  424. Returns:
  426. NERR_Success -- Success
  428. --*/
  429. {
  430. NTSTATUS Status = STATUS_SUCCESS;
  432. NETLOGON_CREDENTIAL ServerChallenge;
  433. NETLOGON_CREDENTIAL ClientChallenge;
  434. NETLOGON_CREDENTIAL ComputedServerCredential;
  435. NETLOGON_CREDENTIAL ReturnedServerCredential;
  436. NETLOGON_CREDENTIAL AuthenticationSeed;
  437. NETLOGON_SESSION_KEY SessionKey;
  438. WCHAR AccountName[SSI_ACCOUNT_NAME_LENGTH+1];
  439. UNICODE_STRING Password;
  440. NT_OWF_PASSWORD NtOwfPassword;
  442. UNREFERENCED_PARAMETER( lpDomain );
  444. ASSERT( lpPassword );
  446. //
  447. // initialize Crypto Provider.
  448. // (required for NlComputeChallenge).
  449. //
  451. if ( !CryptAcquireContext(
  452. &NlGlobalCryptProvider,
  453. NULL,
  454. NULL,
  455. PROV_RSA_FULL,
  456. CRYPT_VERIFYCONTEXT
  457. ))
  458. {
  459. NlGlobalCryptProvider = (HCRYPTPROV)NULL;
  460. return (NET_API_STATUS)GetLastError();
  461. }
  463. //
  464. // Prepare our challenge
  465. //
  467. NlComputeChallenge( &ClientChallenge );
  469. //
  470. // free cryptographic service provider.
  471. //
  472. if ( NlGlobalCryptProvider ) {
  473. CryptReleaseContext( NlGlobalCryptProvider, 0 );
  474. NlGlobalCryptProvider = (HCRYPTPROV)NULL;
  475. }
  478. //
  479. // Get the primary's challenge
  480. //
  482. Status = I_NetServerReqChallenge(lpDc,
  483. lpMachine,
  484. &ClientChallenge,
  485. &ServerChallenge );
  487. if ( !NT_SUCCESS( Status ) ) {
  489. goto ValidateMachineAccountError;
  490. }
  493. Password.Length = Password.MaximumLength = wcslen(lpPassword) * sizeof(WCHAR);
  494. Password.Buffer = lpPassword;
  496. //
  497. // Compute the NT OWF password for this user.
  498. //
  500. Status = RtlCalculateNtOwfPassword( &Password, &NtOwfPassword );
  502. if ( !NT_SUCCESS( Status ) ) {
  504. goto ValidateMachineAccountError;
  506. }
  509. //
  510. // Actually compute the session key given the two challenges and the
  511. // password.
  512. //
  514. NlMakeSessionKey(
  515. #if(_WIN32_WINNT >= 0x0500)
  516. 0,
  517. #endif
  518. &NtOwfPassword,
  519. &ClientChallenge,
  520. &ServerChallenge,
  521. &SessionKey );
  523. //
  524. // Prepare credentials using our challenge.
  525. //
  527. NlComputeCredentials( &ClientChallenge,
  528. &AuthenticationSeed,
  529. &SessionKey );
  531. //
  532. // Send these credentials to primary. The primary will compute
  533. // credentials using the challenge supplied by us and compare
  534. // with these. If both match then it will compute credentials
  535. // using its challenge and return it to us for verification
  536. //
  538. wcscpy( AccountName, lpMachine );
  539. wcscat( AccountName, SSI_ACCOUNT_NAME_POSTFIX);
  541. Status = I_NetServerAuthenticate( lpDc,
  542. AccountName,
  543. WorkstationSecureChannel,
  544. lpMachine,
  545. &AuthenticationSeed,
  546. &ReturnedServerCredential );
  548. if ( !NT_SUCCESS( Status ) ) {
  550. goto ValidateMachineAccountError;
  552. }
  555. //
  556. // The DC returned a server credential to us,
  557. // ensure the server credential matches the one we would compute.
  558. //
  560. NlComputeCredentials( &ServerChallenge,
  561. &ComputedServerCredential,
  562. &SessionKey);
  565. if (RtlCompareMemory( &ReturnedServerCredential,
  566. &ComputedServerCredential,
  567. sizeof(ReturnedServerCredential)) !=
  568. sizeof(ReturnedServerCredential)) {
  570. Status = STATUS_ACCESS_DENIED;
  571. }
  574. ValidateMachineAccountError:
  576. if ( Status == STATUS_ACCESS_DENIED ) {
  578. Status = STATUS_LOGON_FAILURE;
  579. }
  581. if ( !NT_SUCCESS( Status ) ) {
  583. NetpLog(( "Failed to validate machine account for %ws against %ws: 0x%lx\n",
  584. lpMachine, lpDc, Status ));
  585. }
  589. return( RtlNtStatusToDosError( Status ) );
  590. }