archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ias/providers/ntuser/auth/changepwd.cpp

417 lines
11 KiB
Raw Normal View History

Add source files
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) 2000, Microsoft Corp. All rights reserved.
  4. //
  5. // FILE
  6. //
  7. // changepwd.h
  8. //
  9. // SYNOPSIS
  10. //
  11. // Defines the class ChangePassword.
  12. //
  13. ///////////////////////////////////////////////////////////////////////////////
  15. #include <ias.h>
  16. #include <changepwd.h>
  17. #include <blob.h>
  18. #include <iaslsa.h>
  19. #include <iastlutl.h>
  20. #include <ntsamauth.h>
  21. #include <samutil.h>
  24. STDMETHODIMP ChangePassword::Initialize()
  25. {
  26. DWORD error = IASLsaInitialize();
  27. return HRESULT_FROM_WIN32(error);
  28. }
  31. STDMETHODIMP ChangePassword::Shutdown()
  32. {
  33. IASLsaUninitialize();
  34. return S_OK;
  35. }
  38. IASREQUESTSTATUS ChangePassword::onSyncRequest(IRequest* pRequest) throw ()
  39. {
  40. try
  41. {
  42. IASTL::IASRequest request(pRequest);
  44. // Only process change password requests.
  45. IASTL::IASAttribute authType;
  46. if (authType.load(
  47. request,
  48. IAS_ATTRIBUTE_AUTHENTICATION_TYPE,
  49. IASTYPE_ENUM
  50. ))
  51. {
  52. switch (authType->Value.Enumerator)
  53. {
  54. case IAS_AUTH_MSCHAP_CPW:
  55. // Fall through.
  56. case IAS_AUTH_MSCHAP2_CPW:
  57. doChangePassword(request, authType->Value.Enumerator);
  58. break;
  60. default:
  61. // Do nothing.
  62. break;
  63. }
  64. }
  65. }
  66. catch (const _com_error& ce)
  67. {
  68. IASTraceExcept();
  69. IASProcessFailure(pRequest, ce.Error());
  70. }
  72. return IAS_REQUEST_STATUS_CONTINUE;
  73. }
  76. bool ChangePassword::tryMsChapCpw1(
  77. IASTL::IASRequest& request,
  78. PCWSTR domainName,
  79. PCWSTR username,
  80. PBYTE challenge
  81. )
  82. {
  83. // Is the MS-CHAP-CPW-1 VSA present?
  84. IASTL::IASAttribute attr;
  85. if (!attr.load(
  86. request,
  87. MS_ATTRIBUTE_CHAP_CPW1,
  88. IASTYPE_OCTET_STRING
  89. ))
  90. {
  91. return false;
  92. }
  93. MSChapCPW1& cpw1 = blob_cast<MSChapCPW1>(attr);
  95. IASTraceString("Processing MS-CHAP-CPW-1.");
  97. // Is LM Authentication allowed?
  98. if (NTSamAuthentication::enforceLmRestriction(request))
  99. {
  100. // Change the password.
  101. BYTE newNtResponse[_NT_RESPONSE_LENGTH];
  102. BYTE newLmResponse[_LM_RESPONSE_LENGTH];
  103. DWORD status;
  104. status = IASChangePassword1(
  105. username,
  106. domainName,
  107. challenge,
  108. cpw1.get().lmOldPwd,
  109. cpw1.get().lmNewPwd,
  110. cpw1.get().ntOldPwd,
  111. cpw1.get().ntNewPwd,
  112. cpw1.getNewLmPwdLen(),
  113. cpw1.isNtPresent(),
  114. newNtResponse,
  115. newLmResponse
  116. );
  117. if (status == NO_ERROR)
  118. {
  119. IASTraceString("Password successfully changed.");
  121. // Password was successfully changed, so authenticate the user.
  122. NTSamAuthentication::doMsChapAuthentication(
  123. request,
  124. domainName,
  125. username,
  126. cpw1.get().ident,
  127. challenge,
  128. newNtResponse,
  129. newLmResponse
  130. );
  131. }
  132. else
  133. {
  134. IASTraceFailure("IASChangePassword1", status);
  136. if (status == ERROR_ACCESS_DENIED)
  137. {
  138. status = IAS_CHANGE_PASSWORD_FAILURE;
  139. }
  140. else
  141. {
  142. status = IASMapWin32Error(status, IAS_CHANGE_PASSWORD_FAILURE);
  143. }
  145. IASProcessFailure(request, status);
  146. }
  147. }
  149. return true;
  150. }
  153. bool ChangePassword::tryMsChapCpw2(
  154. IASTL::IASRequest& request,
  155. PCWSTR domainName,
  156. PCWSTR username,
  157. PBYTE challenge
  158. )
  159. {
  160. // Is the MS-CHAP-CPW-2 VSA present?
  161. IASAttribute attr;
  162. if (!attr.load(
  163. request,
  164. MS_ATTRIBUTE_CHAP_CPW2,
  165. IASTYPE_OCTET_STRING
  166. ))
  167. {
  168. return false;
  169. }
  170. MSChapCPW2& cpw2 = blob_cast<MSChapCPW2>(attr);
  172. IASTraceString("Processing MS-CHAP-CPW-2.");
  174. // Check LM Authentication.
  175. if (!cpw2.isLmPresent() ||
  176. NTSamAuthentication::enforceLmRestriction(request))
  177. {
  178. //////////
  179. // Assemble the encrypted passwords.
  180. //////////
  182. BYTE ntEncPW[_SAMPR_ENCRYPTED_USER_PASSWORD_LENGTH];
  183. if (!MSChapEncPW::getEncryptedPassword(
  184. request,
  185. MS_ATTRIBUTE_CHAP_NT_ENC_PW,
  186. ntEncPW
  187. ))
  188. {
  189. _com_issue_error(IAS_MALFORMED_REQUEST);
  190. }
  192. BOOL lmPresent = FALSE;
  193. BYTE lmEncPW[_SAMPR_ENCRYPTED_USER_PASSWORD_LENGTH];
  194. if (cpw2.isLmHashValid())
  195. {
  196. lmPresent = MSChapEncPW::getEncryptedPassword(
  197. request,
  198. MS_ATTRIBUTE_CHAP_LM_ENC_PW,
  199. lmEncPW
  200. );
  201. }
  203. //////////
  204. // Change the password.
  205. //////////
  207. DWORD status;
  208. status = IASChangePassword2(
  209. username,
  210. domainName,
  211. cpw2.get().oldNtHash,
  212. cpw2.get().oldLmHash,
  213. ntEncPW,
  214. lmPresent ? lmEncPW : NULL,
  215. cpw2.isLmHashValid()
  216. );
  218. if (status == NO_ERROR)
  219. {
  220. IASTraceString("Password successfully changed.");
  222. // Password was successfully changed, so authenticate the user.
  223. PBYTE ntResponse;
  224. if (cpw2.isNtResponseValid())
  225. {
  226. ntResponse = cpw2.get().ntResponse;
  227. }
  228. else
  229. {
  230. ntResponse = NULL;
  231. }
  232. NTSamAuthentication::doMsChapAuthentication(
  233. request,
  234. domainName,
  235. username,
  236. cpw2.get().ident,
  237. challenge,
  238. ntResponse,
  239. cpw2.get().lmResponse
  240. );
  241. }
  242. else
  243. {
  244. IASTraceFailure("IASChangePassword2", status);
  246. if (status == ERROR_ACCESS_DENIED)
  247. {
  248. status = IAS_CHANGE_PASSWORD_FAILURE;
  249. }
  250. else
  251. {
  252. status = IASMapWin32Error(status, IAS_CHANGE_PASSWORD_FAILURE);
  253. }
  255. IASProcessFailure(request, status);
  256. }
  257. }
  259. return true;
  260. }
  263. void ChangePassword::doMsChapCpw(
  264. IASTL::IASRequest& request,
  265. PCWSTR domainName,
  266. PCWSTR username,
  267. IAS_OCTET_STRING& msChapChallenge
  268. )
  269. {
  270. if (msChapChallenge.dwLength != _MSV1_0_CHALLENGE_LENGTH)
  271. {
  272. _com_issue_error(IAS_MALFORMED_REQUEST);
  273. }
  275. PBYTE challenge = msChapChallenge.lpValue;
  277. if (!tryMsChapCpw2(request, domainName, username, challenge) &&
  278. !tryMsChapCpw1(request, domainName, username, challenge))
  279. {
  280. _com_issue_error(IAS_INTERNAL_ERROR);
  281. }
  282. }
  285. void ChangePassword::doMsChap2Cpw(
  286. IASTL::IASRequest& request,
  287. PCWSTR domainName,
  288. PCWSTR username,
  289. IAS_OCTET_STRING& msChapChallenge
  290. )
  291. {
  292. IASTraceString("Processing MS-CHAP v2 change password.");
  294. // Is the necessary attribute present ?
  295. IASAttribute attr;
  296. if (!attr.load(
  297. request,
  298. MS_ATTRIBUTE_CHAP2_CPW,
  299. IASTYPE_OCTET_STRING
  300. ))
  301. {
  302. _com_issue_error(IAS_INTERNAL_ERROR);
  303. }
  304. MSChap2CPW& cpw = blob_cast<MSChap2CPW>(attr);
  306. //////////
  307. // Assemble the encrypted password.
  308. //////////
  310. BYTE encPW[_SAMPR_ENCRYPTED_USER_PASSWORD_LENGTH];
  311. if (!MSChapEncPW::getEncryptedPassword(
  312. request,
  313. MS_ATTRIBUTE_CHAP_NT_ENC_PW,
  314. encPW
  315. ))
  316. {
  317. _com_issue_error(IAS_MALFORMED_REQUEST);
  318. }
  320. //////////
  321. // Change the password.
  322. //////////
  324. DWORD status;
  325. status = IASChangePassword3(
  326. username,
  327. domainName,
  328. cpw.get().encryptedHash,
  329. encPW
  330. );
  332. if (status == NO_ERROR)
  333. {
  334. IASTraceString("Password successfully changed.");
  336. // Password was successfully changed, so authenticate the user.
  337. NTSamAuthentication::doMsChap2Authentication(
  338. request,
  339. domainName,
  340. username,
  341. cpw.get().ident,
  342. msChapChallenge,
  343. cpw.get().response,
  344. cpw.get().peerChallenge
  345. );
  346. }
  347. else
  348. {
  349. IASTraceFailure("IASChangePassword3", status);
  351. if (status == ERROR_ACCESS_DENIED)
  352. {
  353. status = IAS_CHANGE_PASSWORD_FAILURE;
  354. }
  355. else
  356. {
  357. status = IASMapWin32Error(status, IAS_CHANGE_PASSWORD_FAILURE);
  358. }
  360. IASProcessFailure(request, status);
  361. }
  362. }
  365. void ChangePassword::doChangePassword(
  366. IASTL::IASRequest& request,
  367. DWORD authType
  368. )
  369. {
  370. IASTL::IASAttribute identity;
  371. if (!identity.load(
  372. request,
  373. IAS_ATTRIBUTE_NT4_ACCOUNT_NAME,
  374. IASTYPE_STRING
  375. ))
  376. {
  377. _com_issue_error(IAS_INTERNAL_ERROR);
  378. }
  380. // Convert the User-Name to SAM format.
  381. PCWSTR domain, username;
  382. EXTRACT_SAM_IDENTITY(identity->Value.String, domain, username);
  384. IASAttribute msChapChallenge;
  385. if (!msChapChallenge.load(
  386. request,
  387. MS_ATTRIBUTE_CHAP_CHALLENGE,
  388. IASTYPE_OCTET_STRING
  389. ))
  390. {
  391. _com_issue_error(IAS_INTERNAL_ERROR);
  392. }
  394. switch (authType)
  395. {
  396. case IAS_AUTH_MSCHAP_CPW:
  397. doMsChapCpw(
  398. request,
  399. domain,
  400. username,
  401. msChapChallenge->Value.OctetString
  402. );
  403. break;
  405. case IAS_AUTH_MSCHAP2_CPW:
  406. doMsChap2Cpw(
  407. request,
  408. domain,
  409. username,
  410. msChapChallenge->Value.OctetString
  411. );
  412. break;
  414. default:
  415. _com_issue_error(IAS_INTERNAL_ERROR);
  416. }
  417. }