archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ias/providers/ntuser/auth/ntsamauth.cpp

757 lines
19 KiB
Raw Normal View History

Add source files
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) 2000, Microsoft Corp. All rights reserved.
  4. //
  5. // FILE
  6. //
  7. // ntsamauth.cpp
  8. //
  9. // SYNOPSIS
  10. //
  11. // Defines the class NTSamAuthentication.
  12. //
  13. ///////////////////////////////////////////////////////////////////////////////
  15. #include <ias.h>
  16. #include <ntsamauth.h>
  17. #include <autohdl.h>
  18. #include <blob.h>
  19. #include <iaslsa.h>
  20. #include <iastlutl.h>
  21. #include <lockout.h>
  22. #include <mbstring.h>
  23. #include <samutil.h>
  24. #include <sdoias.h>
  27. bool NTSamAuthentication::allowLM;
  30. STDMETHODIMP NTSamAuthentication::Initialize()
  31. {
  32. DWORD error = IASLsaInitialize();
  33. if (error == NO_ERROR)
  34. {
  35. AccountLockoutInitialize();
  36. }
  38. return HRESULT_FROM_WIN32(error);
  39. }
  42. STDMETHODIMP NTSamAuthentication::Shutdown()
  43. {
  44. AccountLockoutShutdown();
  45. IASLsaUninitialize();
  46. return S_OK;
  47. }
  50. STDMETHODIMP NTSamAuthentication::PutProperty(LONG Id, VARIANT *pValue)
  51. {
  52. if (Id == PROPERTY_NTSAM_ALLOW_LM_AUTHENTICATION &&
  53. pValue != NULL &&
  54. V_VT(pValue) == VT_BOOL)
  55. {
  56. allowLM = V_BOOL(pValue) ? true : false;
  57. IASTracePrintf(
  58. "Setting LM Authentication allowed to %s.",
  59. (allowLM ? "TRUE" : "FALSE")
  60. );
  61. }
  63. return S_OK;
  64. }
  67. bool NTSamAuthentication::enforceLmRestriction(
  68. IASTL::IASRequest& request
  69. )
  70. {
  71. if (!allowLM)
  72. {
  73. IASTraceString("LanManager authentication is not enabled.");
  74. IASProcessFailure(request, IAS_LM_NOT_ALLOWED);
  75. }
  77. return allowLM;
  78. }
  81. void NTSamAuthentication::doMsChapAuthentication(
  82. IASTL::IASRequest& request,
  83. PCWSTR domainName,
  84. PCWSTR username,
  85. BYTE identity,
  86. PBYTE challenge,
  87. PBYTE ntResponse,
  88. PBYTE lmResponse
  89. )
  90. {
  91. DWORD status;
  92. auto_handle<> token;
  93. IAS_MSCHAP_PROFILE profile;
  94. status = IASLogonMSCHAP(
  95. username,
  96. domainName,
  97. challenge,
  98. ntResponse,
  99. lmResponse,
  100. &profile,
  101. &token
  102. );
  104. if (status == NO_ERROR)
  105. {
  106. MSChapMPPEKeys::insert(
  107. request,
  108. profile.LanmanSessionKey,
  109. profile.UserSessionKey,
  110. challenge
  111. );
  112. MSChapDomain::insert(
  113. request,
  114. identity,
  115. profile.LogonDomainName
  116. );
  117. }
  119. storeLogonResult(request, status, token);
  120. }
  123. void NTSamAuthentication::doMsChap2Authentication(
  124. IASTL::IASRequest& request,
  125. PCWSTR domainName,
  126. PCWSTR username,
  127. BYTE identity,
  128. IAS_OCTET_STRING& challenge,
  129. PBYTE response,
  130. PBYTE peerChallenge
  131. )
  132. {
  133. //////////
  134. // Get the hash username.
  135. //////////
  137. PIASATTRIBUTE attr = IASPeekAttribute(
  138. request,
  139. IAS_ATTRIBUTE_ORIGINAL_USER_NAME,
  140. IASTYPE_OCTET_STRING
  141. );
  142. if (!attr)
  143. {
  144. attr = IASPeekAttribute(
  145. request,
  146. RADIUS_ATTRIBUTE_USER_NAME,
  147. IASTYPE_OCTET_STRING
  148. );
  149. if (!attr)
  150. {
  151. _com_issue_error(IAS_MALFORMED_REQUEST);
  152. }
  153. }
  155. PCSTR rawUserName = IAS_OCT2ANSI(attr->Value.OctetString);
  156. PCSTR hashUserName = (PCSTR)_mbschr((const BYTE*)rawUserName, '\\');
  157. hashUserName = hashUserName ? (hashUserName + 1) : rawUserName;
  159. //////////
  160. // Authenticate the user.
  161. //////////
  163. DWORD status;
  164. auto_handle<> token;
  165. IAS_MSCHAP_V2_PROFILE profile;
  166. status = IASLogonMSCHAPv2(
  167. username,
  168. domainName,
  169. hashUserName,
  170. challenge.lpValue,
  171. challenge.dwLength,
  172. response,
  173. peerChallenge,
  174. &profile,
  175. &token
  176. );
  178. //////////
  179. // Process the result.
  180. //////////
  182. if (status == NO_ERROR)
  183. {
  184. MSMPPEKey::insert(
  185. request,
  186. sizeof(profile.RecvSessionKey),
  187. profile.RecvSessionKey,
  188. FALSE
  189. );
  191. MSMPPEKey::insert(
  192. request,
  193. sizeof(profile.SendSessionKey),
  194. profile.SendSessionKey,
  195. TRUE
  196. );
  198. MSChap2Success::insert(
  199. request,
  200. identity,
  201. profile.AuthResponse
  202. );
  204. MSChapDomain::insert(
  205. request,
  206. identity,
  207. profile.LogonDomainName
  208. );
  209. }
  211. storeLogonResult(request, status, token);
  212. }
  215. IASREQUESTSTATUS NTSamAuthentication::onSyncRequest(IRequest* pRequest) throw ()
  216. {
  217. HANDLE hAccount = 0;
  219. try
  220. {
  221. IASTL::IASRequest request(pRequest);
  223. //////////
  224. // Extract the NT4-Account-Name attribute.
  225. //////////
  227. IASTL::IASAttribute identity;
  228. if (!identity.load(
  229. request,
  230. IAS_ATTRIBUTE_NT4_ACCOUNT_NAME,
  231. IASTYPE_STRING
  232. ))
  233. {
  234. return IAS_REQUEST_STATUS_CONTINUE;
  235. }
  237. //////////
  238. // Convert the User-Name to SAM format.
  239. //////////
  241. PCWSTR domain, username;
  242. EXTRACT_SAM_IDENTITY(identity->Value.String, domain, username);
  244. IASTracePrintf(
  245. "NT-SAM Authentication handler received request for %S\\%S.",
  246. domain,
  247. username
  248. );
  250. //////////
  251. // Check if the account has been locked out.
  252. //////////
  254. if (AccountLockoutOpenAndQuery(
  255. username,
  256. domain,
  257. &hAccount
  258. ))
  259. {
  260. IASTraceString("Account has been locked out locally -- rejecting.");
  261. AccountLockoutClose(hAccount);
  262. request.SetResponse(IAS_RESPONSE_ACCESS_REJECT, IAS_DIALIN_LOCKED_OUT);
  263. return IAS_REQUEST_STATUS_CONTINUE;
  264. }
  266. // Try each authentication type.
  267. if (!tryMsChap2All(request, domain, username) &&
  268. !tryMsChapAll(request, domain, username) &&
  269. !tryMd5Chap(request, domain, username) &&
  270. !tryPap(request, domain, username))
  271. {
  272. // Since the EAP request handler is invoked after policy
  273. // evaluation, we have to set the auth type here.
  274. if (IASPeekAttribute(
  275. request,
  276. RADIUS_ATTRIBUTE_EAP_MESSAGE,
  277. IASTYPE_OCTET_STRING
  278. ))
  279. {
  280. storeAuthenticationType(request, IAS_AUTH_EAP);
  281. }
  282. else
  283. {
  284. // Otherwise, the auth type is "Unauthenticated".
  285. storeAuthenticationType(request, IAS_AUTH_NONE);
  286. }
  287. }
  289. //////////
  290. // Update the lockout database based on the results.
  291. //////////
  293. if (request.get_Response() == IAS_RESPONSE_ACCESS_ACCEPT)
  294. {
  295. AccountLockoutUpdatePass(hAccount);
  296. }
  297. else if (request.get_Reason() == IAS_AUTH_FAILURE)
  298. {
  299. AccountLockoutUpdateFail(hAccount);
  300. }
  301. }
  302. catch (const _com_error& ce)
  303. {
  304. IASTraceExcept();
  305. IASProcessFailure(pRequest, ce.Error());
  306. }
  308. AccountLockoutClose(hAccount);
  310. return IAS_REQUEST_STATUS_CONTINUE;
  311. }
  314. void NTSamAuthentication::storeAuthenticationType(
  315. IASTL::IASRequest& request,
  316. DWORD authType
  317. )
  318. {
  319. IASTL::IASAttribute attr(true);
  320. attr->dwId = IAS_ATTRIBUTE_AUTHENTICATION_TYPE;
  321. attr->Value.itType = IASTYPE_ENUM;
  322. attr->Value.Enumerator = authType;
  323. attr.store(request);
  324. }
  327. void NTSamAuthentication::storeLogonResult(
  328. IASTL::IASRequest& request,
  329. DWORD status,
  330. HANDLE token
  331. )
  332. {
  333. if (status == ERROR_SUCCESS)
  334. {
  335. IASTraceString("LogonUser succeeded.");
  336. storeTokenGroups(request, token);
  337. request.SetResponse(IAS_RESPONSE_ACCESS_ACCEPT, S_OK);
  338. }
  339. else
  340. {
  341. IASTraceFailure("LogonUser", status);
  342. IASProcessFailure(request, IASMapWin32Error(status, IAS_AUTH_FAILURE));
  343. }
  344. }
  347. void NTSamAuthentication::storeTokenGroups(
  348. IASTL::IASRequest& request,
  349. HANDLE token
  350. )
  351. {
  352. DWORD returnLength;
  354. //////////
  355. // Determine the needed buffer size.
  356. //////////
  358. BOOL success = GetTokenInformation(
  359. token,
  360. TokenGroups,
  361. NULL,
  362. 0,
  363. &returnLength
  364. );
  366. DWORD status = GetLastError();
  368. // Should have failed with ERROR_INSUFFICIENT_BUFFER.
  369. if (success || status != ERROR_INSUFFICIENT_BUFFER)
  370. {
  371. IASTraceFailure("GetTokenInformation", status);
  372. _com_issue_error(HRESULT_FROM_WIN32(status));
  373. }
  375. //////////
  376. // Allocate an attribute.
  377. //////////
  379. IASTL::IASAttribute groups(true);
  381. //////////
  382. // Allocate a buffer to hold the TOKEN_GROUPS array.
  383. //////////
  385. groups->Value.OctetString.lpValue = (PBYTE)CoTaskMemAlloc(returnLength);
  386. if (!groups->Value.OctetString.lpValue)
  387. {
  388. _com_issue_error(E_OUTOFMEMORY);
  389. }
  391. //////////
  392. // Get the Token Groups info.
  393. //////////
  395. GetTokenInformation(
  396. token,
  397. TokenGroups,
  398. groups->Value.OctetString.lpValue,
  399. returnLength,
  400. &groups->Value.OctetString.dwLength
  401. );
  403. //////////
  404. // Set the id and type of the initialized attribute.
  405. //////////
  407. groups->dwId = IAS_ATTRIBUTE_TOKEN_GROUPS;
  408. groups->Value.itType = IASTYPE_OCTET_STRING;
  410. //////////
  411. // Inject the Token-Groups into the request.
  412. //////////
  414. groups.store(request);
  415. }
  418. bool NTSamAuthentication::tryMsChap(
  419. IASTL::IASRequest& request,
  420. PCWSTR domainName,
  421. PCWSTR username,
  422. PBYTE challenge
  423. )
  424. {
  425. // Is the necessary attribute present?
  426. IASAttribute attr;
  427. if (!attr.load(
  428. request,
  429. MS_ATTRIBUTE_CHAP_RESPONSE,
  430. IASTYPE_OCTET_STRING
  431. ))
  432. {
  433. return false;
  434. }
  435. MSChapResponse& response = blob_cast<MSChapResponse>(attr);
  437. IASTraceString("Processing MS-CHAP v1 authentication.");
  438. storeAuthenticationType(request, IAS_AUTH_MSCHAP);
  440. if (!response.isLmPresent() || enforceLmRestriction(request))
  441. {
  442. doMsChapAuthentication(
  443. request,
  444. domainName,
  445. username,
  446. response.get().ident,
  447. challenge,
  448. (response.isNtPresent() ? response.get().ntResponse : NULL),
  449. (response.isLmPresent() ? response.get().lmResponse : NULL)
  450. );
  451. }
  453. return true;
  454. }
  457. bool NTSamAuthentication::tryMsChapCpw1(
  458. IASTL::IASRequest& request,
  459. PCWSTR domainName,
  460. PCWSTR username,
  461. PBYTE challenge
  462. )
  463. {
  464. // Is the necessary attribute present ?
  465. IASAttribute attr;
  466. bool present = attr.load(
  467. request,
  468. MS_ATTRIBUTE_CHAP_CPW1,
  469. IASTYPE_OCTET_STRING
  470. );
  471. if (present)
  472. {
  473. IASTraceString("Deferring MS-CHAP-CPW-1.");
  474. storeAuthenticationType(request, IAS_AUTH_MSCHAP_CPW);
  475. }
  477. return present;
  478. }
  481. bool NTSamAuthentication::tryMsChapCpw2(
  482. IASTL::IASRequest& request,
  483. PCWSTR domainName,
  484. PCWSTR username,
  485. PBYTE challenge
  486. )
  487. {
  488. // Is the necessary attribute present ?
  489. IASAttribute attr;
  490. bool present = attr.load(
  491. request,
  492. MS_ATTRIBUTE_CHAP_CPW2,
  493. IASTYPE_OCTET_STRING
  494. );
  495. if (present)
  496. {
  497. IASTraceString("Deferring MS-CHAP-CPW-2.");
  498. storeAuthenticationType(request, IAS_AUTH_MSCHAP_CPW);
  499. }
  501. return present;
  502. }
  505. bool NTSamAuthentication::tryMsChap2(
  506. IASTL::IASRequest& request,
  507. PCWSTR domainName,
  508. PCWSTR username,
  509. IAS_OCTET_STRING& challenge
  510. )
  511. {
  512. // Is the necessary attribute present?
  513. IASAttribute attr;
  514. if (!attr.load(
  515. request,
  516. MS_ATTRIBUTE_CHAP2_RESPONSE,
  517. IASTYPE_OCTET_STRING
  518. ))
  519. {
  520. return false;
  521. }
  522. MSChap2Response& response = blob_cast<MSChap2Response>(attr);
  524. IASTraceString("Processing MS-CHAP v2 authentication.");
  525. storeAuthenticationType(request, IAS_AUTH_MSCHAP2);
  527. //////////
  528. // Authenticate the user.
  529. //////////
  531. doMsChap2Authentication(
  532. request,
  533. domainName,
  534. username,
  535. response.get().ident,
  536. challenge,
  537. response.get().response,
  538. response.get().peerChallenge
  539. );
  541. return true;
  542. }
  545. bool NTSamAuthentication::tryMsChap2Cpw(
  546. IASTL::IASRequest& request,
  547. PCWSTR domainName,
  548. PCWSTR username,
  549. IAS_OCTET_STRING& challenge
  550. )
  551. {
  552. // Is the necessary attribute present ?
  553. IASAttribute attr;
  554. bool present = attr.load(
  555. request,
  556. MS_ATTRIBUTE_CHAP2_CPW,
  557. IASTYPE_OCTET_STRING
  558. );
  559. if (present)
  560. {
  561. IASTraceString("Deferring MS-CHAP v2 change password.");
  562. storeAuthenticationType(request, IAS_AUTH_MSCHAP2_CPW);
  563. }
  565. return present;
  566. }
  569. bool NTSamAuthentication::tryMd5Chap(
  570. IASTL::IASRequest& request,
  571. PCWSTR domainName,
  572. PCWSTR username
  573. )
  574. {
  575. // Is the necessary attribute present?
  576. IASTL::IASAttribute chapPassword;
  577. if (!chapPassword.load(
  578. request,
  579. RADIUS_ATTRIBUTE_CHAP_PASSWORD,
  580. IASTYPE_OCTET_STRING
  581. ))
  582. {
  583. return false;
  584. }
  586. IASTraceString("Processing MD5-CHAP authentication.");
  587. storeAuthenticationType(request, IAS_AUTH_MD5CHAP);
  589. //////////
  590. // Split up the CHAP-Password attribute.
  591. //////////
  593. // The ID is the first byte of the value ...
  594. BYTE challengeID = *(chapPassword->Value.OctetString.lpValue);
  596. // ... and the password is the rest.
  597. PBYTE password = chapPassword->Value.OctetString.lpValue + 1;
  599. //////////
  600. // Use the CHAP-Challenge if available, request authenticator otherwise.
  601. //////////
  603. IASTL::IASAttribute chapChallenge, radiusHeader;
  604. if (!chapChallenge.load(
  605. request,
  606. RADIUS_ATTRIBUTE_CHAP_CHALLENGE,
  607. IASTYPE_OCTET_STRING
  608. ) &&
  609. !radiusHeader.load(
  610. request,
  611. IAS_ATTRIBUTE_CLIENT_PACKET_HEADER,
  612. IASTYPE_OCTET_STRING
  613. ))
  614. {
  615. _com_issue_error(IAS_MALFORMED_REQUEST);
  616. }
  618. PBYTE challenge;
  619. DWORD challengeLength;
  621. if (chapChallenge)
  622. {
  623. challenge = chapChallenge->Value.OctetString.lpValue;
  624. challengeLength = chapChallenge->Value.OctetString.dwLength;
  625. }
  626. else
  627. {
  628. challenge = radiusHeader->Value.OctetString.lpValue + 4;
  629. challengeLength = 16;
  630. }
  633. //////////
  634. // Try to logon the user.
  635. //////////
  637. auto_handle<> token;
  638. DWORD status = IASLogonCHAP(
  639. username,
  640. domainName,
  641. challengeID,
  642. challenge,
  643. challengeLength,
  644. password,
  645. &token
  646. );
  648. //////////
  649. // Store the results.
  650. //////////
  652. storeLogonResult(request, status, token);
  654. return true;
  655. }
  658. bool NTSamAuthentication::tryMsChapAll(
  659. IASTL::IASRequest& request,
  660. PCWSTR domainName,
  661. PCWSTR username
  662. )
  663. {
  664. // Do we have the necessary attribute?
  665. IASTL::IASAttribute msChapChallenge;
  666. if (!msChapChallenge.load(
  667. request,
  668. MS_ATTRIBUTE_CHAP_CHALLENGE,
  669. IASTYPE_OCTET_STRING
  670. ))
  671. {
  672. return false;
  673. }
  675. if (msChapChallenge->Value.OctetString.dwLength != _MSV1_0_CHALLENGE_LENGTH)
  676. {
  677. _com_issue_error(IAS_MALFORMED_REQUEST);
  678. }
  680. PBYTE challenge = msChapChallenge->Value.OctetString.lpValue;
  682. return tryMsChap(request, domainName, username, challenge) ||
  683. tryMsChapCpw2(request, domainName, username, challenge) ||
  684. tryMsChapCpw1(request, domainName, username, challenge);
  685. }
  688. bool NTSamAuthentication::tryMsChap2All(
  689. IASTL::IASRequest& request,
  690. PCWSTR domainName,
  691. PCWSTR username
  692. )
  693. {
  694. // Do we have the necessary attribute?
  695. IASTL::IASAttribute msChapChallenge;
  696. if (!msChapChallenge.load(
  697. request,
  698. MS_ATTRIBUTE_CHAP_CHALLENGE,
  699. IASTYPE_OCTET_STRING
  700. ))
  701. {
  702. return false;
  703. }
  705. IAS_OCTET_STRING& challenge = msChapChallenge->Value.OctetString;
  707. return tryMsChap2(request, domainName, username, challenge) ||
  708. tryMsChap2Cpw(request, domainName, username, challenge);
  709. }
  712. bool NTSamAuthentication::tryPap(
  713. IASTL::IASRequest& request,
  714. PCWSTR domainName,
  715. PCWSTR username
  716. )
  717. {
  718. // Do we have the necessary attribute?
  719. IASTL::IASAttribute password;
  720. if (!password.load(
  721. request,
  722. RADIUS_ATTRIBUTE_USER_PASSWORD,
  723. IASTYPE_OCTET_STRING
  724. ))
  725. {
  726. return false;
  727. }
  729. IASTraceString("Processing PAP authentication.");
  730. storeAuthenticationType(request, IAS_AUTH_PAP);
  732. //////////
  733. // Convert the password to a string.
  734. //////////
  736. PSTR userPwd = IAS_OCT2ANSI(password->Value.OctetString);
  738. //////////
  739. // Try to logon the user.
  740. //////////
  742. auto_handle<> token;
  743. DWORD status = IASLogonPAP(
  744. username,
  745. domainName,
  746. userPwd,
  747. &token
  748. );
  750. //////////
  751. // Store the results.
  752. //////////
  754. storeLogonResult(request, status, token);
  756. return true;
  757. }