archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ias/providers/ntuser/basecamp/basecamp.cpp

765 lines
19 KiB
Raw Normal View History

Add source files
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) 2000, Microsoft Corp. All rights reserved.
  4. //
  5. // FILE
  6. //
  7. // basecamp.cpp
  8. //
  9. // SYNOPSIS
  10. //
  11. // Defines the class BaseCampHostBase.
  12. //
  13. ///////////////////////////////////////////////////////////////////////////////
  15. #include <ias.h>
  16. #include <extension.h>
  17. #include <basecamp.h>
  18. #include <memory>
  20. //////////
  21. // The offset between the UNIX and NT epochs.
  22. //////////
  23. const DWORDLONG UNIX_EPOCH = 116444736000000000ui64;
  25. /////////
  26. // Convert a single attribute from IAS to BaseCamp format.
  27. // Returns (dst + 1) if successful, (dst) otherwise.
  28. /////////
  29. PRADIUS_ATTRIBUTE
  30. WINAPI
  31. ConvertToBaseCampAttribute(
  32. IN PIASATTRIBUTE src,
  33. IN PRADIUS_ATTRIBUTE dst
  34. ) throw ()
  35. {
  36. /////////
  37. // Convert the attribute ID.
  38. /////////
  40. if (src->dwId < 256)
  41. {
  42. // If it's a radius standard attribute, then use 'as is'.
  43. dst->dwAttrType = src->dwId;
  44. }
  45. else
  46. {
  47. // Map internal attributes.
  48. switch (src->dwId)
  49. {
  50. case IAS_ATTRIBUTE_CLIENT_IP_ADDRESS:
  51. dst->dwAttrType = ratSrcIPAddress;
  52. break;
  54. case IAS_ATTRIBUTE_CLIENT_UDP_PORT:
  55. dst->dwAttrType = ratSrcPort;
  56. break;
  58. case IAS_ATTRIBUTE_NT4_ACCOUNT_NAME:
  59. dst->dwAttrType = ratStrippedUserName;
  60. break;
  62. case IAS_ATTRIBUTE_FULLY_QUALIFIED_USER_NAME:
  63. dst->dwAttrType = ratFQUserName;
  64. break;
  66. case IAS_ATTRIBUTE_NP_NAME:
  67. dst->dwAttrType = ratPolicyName;
  68. break;
  70. default:
  71. // No mapping exists.
  72. return dst;
  73. }
  74. }
  76. /////////
  77. // Convert the attribute value.
  78. /////////
  80. switch (src->Value.itType)
  81. {
  82. case IASTYPE_BOOLEAN:
  83. case IASTYPE_INTEGER:
  84. case IASTYPE_ENUM:
  85. {
  86. dst->fDataType = rdtInteger;
  87. dst->cbDataLength = sizeof(DWORD);
  88. dst->dwValue = src->Value.Integer;
  89. ++dst;
  90. break;
  91. }
  93. case IASTYPE_INET_ADDR:
  94. {
  95. dst->fDataType = rdtAddress;
  96. dst->cbDataLength = sizeof(DWORD);
  97. dst->dwValue = src->Value.InetAddr;
  98. ++dst;
  99. break;
  100. }
  102. case IASTYPE_STRING:
  103. {
  104. IASAttributeAnsiAlloc(src);
  105. if (src->Value.String.pszAnsi)
  106. {
  107. dst->fDataType = rdtString;
  108. dst->cbDataLength = strlen(src->Value.String.pszAnsi) + 1;
  109. dst->lpValue = src->Value.String.pszAnsi;
  110. ++dst;
  111. }
  112. break;
  113. }
  115. case IASTYPE_OCTET_STRING:
  116. case IASTYPE_PROV_SPECIFIC:
  117. {
  118. dst->fDataType = rdtString;
  119. dst->cbDataLength = src->Value.OctetString.dwLength;
  120. dst->lpValue = (PCSTR)src->Value.OctetString.lpValue;
  121. ++dst;
  122. break;
  123. }
  125. case IASTYPE_UTC_TIME:
  126. {
  127. DWORDLONG val;
  129. // Move in the high DWORD.
  130. val = src->Value.UTCTime.dwHighDateTime;
  131. val <<= 32;
  133. // Move in the low DWORD.
  134. val |= src->Value.UTCTime.dwLowDateTime;
  136. // Convert to the UNIX epoch.
  137. val -= UNIX_EPOCH;
  139. // Convert to seconds.
  140. val /= 10000000;
  142. dst->fDataType = rdtTime;
  143. dst->cbDataLength = sizeof(DWORD);
  144. dst->dwValue = (DWORD)val;
  145. ++dst;
  146. break;
  147. }
  148. }
  150. return dst;
  151. }
  153. /////////
  154. // Converts a request object to an array of BaseCamp attributes.
  155. /////////
  156. VOID
  157. WINAPI
  158. ConvertRequestToBaseCampAttributes(
  159. IN IASRequest& request,
  160. IN BOOL inbound,
  161. OUT PRADIUS_ATTRIBUTE* ppAttrs
  162. )
  164. {
  165. /////////
  166. // Determine the packetCode.
  167. /////////
  169. DWORD packetCode = 0;
  171. if (!inbound)
  172. {
  173. // For outbound requests we look at the response.
  174. switch (request.get_Response())
  175. {
  176. case IAS_RESPONSE_ACCESS_ACCEPT:
  177. packetCode = 2;
  178. break;
  180. case IAS_RESPONSE_ACCESS_REJECT:
  181. packetCode = 3;
  182. break;
  184. case IAS_RESPONSE_ACCOUNTING:
  185. packetCode = 5;
  186. break;
  188. case IAS_RESPONSE_ACCESS_CHALLENGE:
  189. packetCode = 11;
  190. break;
  191. }
  192. }
  194. if (!packetCode)
  195. {
  196. // If we made it here, either this is an inbound request or we
  197. // haven't made a decision yet on an outbound request.
  198. switch (request.get_Request())
  199. {
  200. case IAS_REQUEST_ACCESS_REQUEST:
  201. packetCode = 1;
  202. break;
  204. case IAS_REQUEST_ACCOUNTING:
  205. packetCode = 4;
  206. break;
  207. }
  208. }
  210. ///////
  211. // Determine which attributes to convert based on the packetCode.
  212. ///////
  213. DWORD always, never;
  214. switch (packetCode)
  215. {
  216. case 1: // Access-Request
  217. always = IAS_RECVD_FROM_CLIENT | IAS_RECVD_FROM_PROTOCOL;
  218. never = IAS_INCLUDE_IN_RESPONSE;
  219. break;
  221. case 2: // Access-Accept
  222. always = IAS_INCLUDE_IN_ACCEPT;
  223. never = IAS_RECVD_FROM_CLIENT |
  224. IAS_INCLUDE_IN_REJECT | IAS_INCLUDE_IN_CHALLENGE;
  225. break;
  227. case 3: // Access-Reject
  228. always = IAS_INCLUDE_IN_REJECT;
  229. never = IAS_RECVD_FROM_CLIENT |
  230. IAS_INCLUDE_IN_ACCEPT | IAS_INCLUDE_IN_CHALLENGE;
  231. break;
  233. case 4: // Accounting-Request
  234. always = IAS_RECVD_FROM_CLIENT | IAS_RECVD_FROM_PROTOCOL;
  235. never = IAS_INCLUDE_IN_RESPONSE;
  236. break;
  238. case 5: // Accounting-Response
  239. always = IAS_INCLUDE_IN_RESPONSE;
  240. never = IAS_RECVD_FROM_CLIENT;
  241. break;
  243. case 11: // Access-Challenge.
  244. always = IAS_INCLUDE_IN_CHALLENGE;
  245. never = IAS_RECVD_FROM_CLIENT |
  246. IAS_INCLUDE_IN_ACCEPT | IAS_INCLUDE_IN_REJECT;
  247. break;
  249. default:
  250. always = 0;
  251. never = 0;
  252. }
  254. // Get the packet header (won't be present for RAS).
  255. PIASATTRIBUTE header = IASPeekAttribute(
  256. request,
  257. IAS_ATTRIBUTE_CLIENT_PACKET_HEADER,
  258. IASTYPE_OCTET_STRING
  259. );
  261. // Allocate memory for the converted attributes. We need six extra elements
  262. // for derived attributes and the terminator.
  263. DWORD numAttrs = request.GetAttributeCount();
  264. *ppAttrs = (PRADIUS_ATTRIBUTE)
  265. CoTaskMemAlloc((numAttrs + 6UL) * sizeof(RADIUS_ATTRIBUTE));
  266. if (*ppAttrs == NULL) { _com_issue_error(E_OUTOFMEMORY); }
  268. // Cursor into the attribute array.
  269. PRADIUS_ATTRIBUTE dst = *ppAttrs;
  271. // Packet code.
  272. dst->dwAttrType = ratCode;
  273. dst->fDataType = rdtInteger;
  274. dst->cbDataLength = sizeof(DWORD);
  275. dst->dwValue = packetCode;
  276. ++dst;
  279. // Authentication provider.
  280. dst->dwAttrType = ratProvider;
  281. dst->fDataType = rdtInteger;
  282. dst->cbDataLength = sizeof(DWORD);
  284. PIASATTRIBUTE providerType = IASPeekAttribute(
  285. request,
  286. IAS_ATTRIBUTE_PROVIDER_TYPE,
  287. IASTYPE_ENUM
  288. );
  290. if (providerType == 0)
  291. {
  292. // most of the time, the absence of the provider type is used
  293. // for rapNone
  294. dst->dwValue = rapNone;
  295. }
  296. else
  297. {
  298. switch(providerType->Value.Integer)
  299. {
  300. case IAS_PROVIDER_NONE:
  301. {
  302. dst->dwValue = rapNone;
  303. break;
  304. }
  306. case IAS_PROVIDER_WINDOWS:
  307. {
  308. dst->dwValue = rapWindowsNT;
  309. break;
  310. }
  312. case IAS_PROVIDER_RADIUS_PROXY:
  313. {
  314. dst->dwValue = rapProxy;
  315. break;
  316. }
  317. default:
  318. {
  319. // should never be here
  320. dst->dwValue = rapUnknown;
  321. }
  322. }
  323. }
  325. ++dst;
  327. // Identifier
  328. if (header)
  329. {
  330. dst->dwAttrType = ratIdentifier;
  331. dst->fDataType = rdtInteger;
  332. dst->cbDataLength = sizeof(DWORD);
  333. dst->dwValue = *(PBYTE)(header->Value.OctetString.lpValue + 1);
  334. ++dst;
  335. }
  337. // Check for a Chap-Challenge.
  338. PIASATTRIBUTE challenge = IASPeekAttribute(
  339. request,
  340. RADIUS_ATTRIBUTE_CHAP_CHALLENGE,
  341. IASTYPE_OCTET_STRING
  342. );
  343. if (challenge)
  344. {
  345. // Use the Chap-Challenge if present ...
  346. dst->dwAttrType = ratAuthenticator;
  347. dst->fDataType = rdtString;
  348. dst->cbDataLength = challenge->Value.OctetString.dwLength;
  349. dst->lpValue = (const char*)challenge->Value.OctetString.lpValue;
  350. ++dst;
  351. }
  352. else if (header)
  353. {
  354. // ... otherwise use the Request Authenticator.
  355. dst->dwAttrType = ratAuthenticator;
  356. dst->fDataType = rdtString;
  357. dst->cbDataLength = 16;
  358. dst->lpValue = (const char*)header->Value.OctetString.lpValue + 4;
  359. ++dst;
  360. }
  362. // Get all the regular attributes from the request.
  363. USES_IAS_STACK_VECTOR();
  364. IASAttributeVectorOnStack(attrs, NULL, numAttrs);
  365. attrs.load(request);
  367. // Iterate through and convert each attribute.
  368. for (IASAttributeVector::iterator i = attrs.begin(); i != attrs.end(); ++i)
  369. {
  370. if ( (i->pAttribute->dwFlags & always) ||
  371. !(i->pAttribute->dwFlags & never ))
  372. {
  373. dst = ConvertToBaseCampAttribute(i->pAttribute, dst);
  374. }
  375. }
  377. // All done, so add the terminator.
  378. dst->dwAttrType = ratMinimum;
  379. dst->fDataType = rdtUnknown;
  380. dst->cbDataLength = 0;
  381. dst->lpValue = NULL;
  382. }
  384. /////////
  385. // Determines if an extension should only be loaded under NT4.
  386. /////////
  387. BOOL
  388. WINAPI
  389. IsNT4Only(
  390. PCWSTR path
  391. ) throw ()
  392. {
  393. // Strip everything before the last backslash.
  394. const WCHAR* basename = wcsrchr(path, L'\\');
  395. if (basename == NULL)
  396. {
  397. basename = path;
  398. }
  399. else
  400. {
  401. ++basename;
  402. }
  404. // Is this the authsam extension?
  405. return _wcsicmp(basename, L"AUTHSAM.DLL") == 0;
  406. }
  408. /////////
  409. // Free an array of BaseCamp attributes.
  410. /////////
  411. VOID
  412. WINAPI
  413. FreeBaseCampAttributes(
  414. IN PRADIUS_ATTRIBUTE ppAttrs
  415. ) throw ()
  416. {
  417. CoTaskMemFree(ppAttrs);
  418. }
  420. ///////
  421. // Store an array of BaseCamp attributes in a request.
  422. ///////
  423. VOID
  424. WINAPI
  425. StoreBaseCampAttributes(
  426. IN IASRequest& request,
  427. IN const RADIUS_ATTRIBUTE* pAttrs
  428. )
  429. {
  430. // Set the flags based on the response.
  431. DWORD flags;
  432. if (request.get_Response() == IAS_RESPONSE_ACCESS_REJECT)
  433. {
  434. flags = IAS_INCLUDE_IN_REJECT;
  435. }
  436. else
  437. {
  438. flags = IAS_INCLUDE_IN_ACCEPT;
  439. }
  441. // Iterate through the attributes, convert, and store.
  442. const RADIUS_ATTRIBUTE* i;
  443. for (i = pAttrs; i->dwAttrType != ratMinimum; ++i)
  444. {
  445. IASAttribute attr(true);
  446. attr->dwFlags = flags;
  447. attr->dwId = i->dwAttrType;
  449. switch (i->fDataType)
  450. {
  451. case rdtAddress:
  452. {
  453. attr->Value.itType = IASTYPE_INET_ADDR;
  454. attr->Value.InetAddr = i->dwValue;
  455. break;
  456. }
  458. case rdtInteger:
  459. case rdtTime:
  460. {
  461. attr->Value.itType = IASTYPE_INTEGER;
  462. attr->Value.InetAddr = i->dwValue;
  463. break;
  464. }
  466. default:
  467. {
  468. attr.setOctetString(i->cbDataLength, (PBYTE)i->lpValue);
  469. }
  470. }
  472. attr.store(request);
  473. }
  474. }
  476. ///////////////////////////////////////////////////////////////////////////////
  477. //
  478. // CLASS
  479. //
  480. // OutAttributes
  481. //
  482. // DESCRIPTION
  483. //
  484. // Manages the RADIUS_ATTRIBUTE's returned by an extension.
  485. //
  486. ///////////////////////////////////////////////////////////////////////////////
  487. class OutAttributes
  488. {
  489. public:
  490. OutAttributes(BaseCampExtension& ext) throw ()
  491. : owner(ext),attrs(NULL)
  492. { }
  494. ~OutAttributes() throw ()
  495. { owner.freeAttrs(attrs); }
  497. operator bool() const throw ()
  498. { return attrs != NULL; }
  500. PRADIUS_ATTRIBUTE* operator&() throw ()
  501. { return &attrs; }
  503. operator const RADIUS_ATTRIBUTE*() const throw ()
  504. { return attrs; }
  506. private:
  507. BaseCampExtension& owner;
  508. PRADIUS_ATTRIBUTE attrs;
  510. // Not implemented.
  511. OutAttributes(const OutAttributes&);
  512. OutAttributes& operator=(const OutAttributes&);
  513. };
  516. BaseCampHostBase::BaseCampHostBase(
  517. PCSTR friendlyName,
  518. PCWSTR registryKey,
  519. PCWSTR registryValue,
  520. BOOL inboundPacket,
  521. DWORD actions
  522. ) throw ()
  523. : name(friendlyName),
  524. extensionsKey(registryKey),
  525. extensionsValue(registryValue),
  526. inbound(inboundPacket),
  527. allowedActions(actions),
  528. numExtensions(0),
  529. extensions(NULL)
  530. {
  531. }
  533. STDMETHODIMP BaseCampHostBase::Initialize()
  534. {
  535. // Allocate an attribute for the Authentication-Type.
  536. DWORD error = IASAttributeAlloc(1, &authType);
  537. if (error != NO_ERROR) { return HRESULT_FROM_WIN32(error); }
  539. // Initialize the attribute fields.
  540. authType->dwId = IAS_ATTRIBUTE_AUTHENTICATION_TYPE;
  541. authType->Value.itType = IASTYPE_ENUM;
  542. authType->Value.Enumerator = IAS_AUTH_CUSTOM;
  544. DWORD status = NO_ERROR;
  545. HKEY hKey = NULL;
  547. do
  548. {
  549. // Open the registry key.
  550. status = RegOpenKeyW(
  551. HKEY_LOCAL_MACHINE,
  552. extensionsKey,
  553. &hKey
  554. );
  555. if (status != NO_ERROR) { break; }
  557. // Allocate a buffer to hold the value.
  558. DWORD type, length;
  559. status = RegQueryValueExW(
  560. hKey,
  561. extensionsValue,
  562. NULL,
  563. &type,
  564. NULL,
  565. &length
  566. );
  567. if (status != NO_ERROR) { break; }
  568. PBYTE data = (PBYTE)_alloca(length);
  570. // Read the registry value.
  571. status = RegQueryValueExW(
  572. hKey,
  573. extensionsValue,
  574. NULL,
  575. &type,
  576. data,
  577. &length
  578. );
  579. if (status != NO_ERROR) { break; }
  581. // Make sure it's the right type.
  582. if (type != REG_MULTI_SZ)
  583. {
  584. status = ERROR_INVALID_DATA;
  585. break;
  586. }
  588. // Count the number of strings.
  589. PCWSTR path;
  590. for (path = (PCWSTR)data; *path; path += wcslen(path) + 1)
  591. {
  592. if (!IsNT4Only(path)) { ++numExtensions; }
  593. }
  595. // If there are no extensions, then we're done.
  596. if (numExtensions == 0) { break; }
  598. // Allocate memory to hold the extensions.
  599. extensions = new (std::nothrow) BaseCampExtension[numExtensions];
  600. if (extensions == NULL)
  601. {
  602. status = ERROR_NOT_ENOUGH_MEMORY;
  603. break;
  604. }
  606. // Load the DLL's.
  607. BaseCampExtension* ext = extensions;
  608. for (path = (PCWSTR)data; *path; path += wcslen(path) + 1)
  609. {
  610. if (!IsNT4Only(path))
  611. {
  612. IASTracePrintf("Loading %s extension %S", name, path);
  614. status = ext->load(path);
  615. if (status != NO_ERROR)
  616. {
  617. break;
  618. }
  619. ++ext;
  620. }
  621. }
  623. } while (false);
  625. // If we failed, shutdown.
  626. if (status != NO_ERROR) { BaseCampHostBase::Shutdown(); }
  628. // Close the registry.
  629. if (hKey) { RegCloseKey(hKey); }
  631. // If no extensions are registered, then it's not really an error.
  632. if (status == ERROR_FILE_NOT_FOUND) { status = NO_ERROR; }
  634. return HRESULT_FROM_WIN32(status);
  635. }
  637. STDMETHODIMP BaseCampHostBase::Shutdown()
  638. {
  639. numExtensions = 0;
  641. delete[] extensions;
  642. extensions = NULL;
  644. authType.release();
  646. return S_OK;
  647. }
  649. IASREQUESTSTATUS BaseCampHostBase::onSyncRequest(IRequest* pRequest) throw ()
  650. {
  651. // Short-circuit if there aren't any extensions,
  652. if (numExtensions == 0) { return IAS_REQUEST_STATUS_CONTINUE; }
  654. IASTracePrintf("%s processing request.", name);
  656. // Array of converted attributes. These are at function scope so we can
  657. // clean-up after an exception.
  658. PRADIUS_ATTRIBUTE pAttrs = NULL;
  660. // Default status is to continue.
  661. IASREQUESTSTATUS retval = IAS_REQUEST_STATUS_CONTINUE;
  663. try
  664. {
  665. IASRequest request(pRequest);
  667. // Convert any VSAs to RADIUS wire format.
  668. filter.radiusFromIAS(request);
  670. // Convert request to an array of BaseCamp attributes.
  671. ConvertRequestToBaseCampAttributes(
  672. request,
  673. inbound,
  674. &pAttrs
  675. );
  677. // Extensions can only return an action for Access-Requests.
  678. RADIUS_ACTION fAction = raContinue, *pfAction;
  679. if (allowedActions &&
  680. request.get_Request() == IAS_REQUEST_ACCESS_REQUEST)
  681. {
  682. pfAction = &fAction;
  683. }
  684. else
  685. {
  686. pfAction = NULL;
  687. }
  689. BOOL handled = FALSE;
  691. // Invoke each extension.
  692. for (DWORD i = 0; i < numExtensions && !handled; ++i)
  693. {
  694. IASTracePrintf("Invoking extension %S.", extensions[i].getName());
  696. OutAttributes outAttrs(extensions[i]);
  697. DWORD error = extensions[i].process(
  698. pAttrs,
  699. &outAttrs,
  700. pfAction
  701. );
  703. // Abort on error ...
  704. if (error != NO_ERROR)
  705. {
  706. IASTraceFailure("RadiusExtensionProcess", error);
  708. _com_issue_error(IAS_INTERNAL_ERROR);
  709. }
  711. // Process the action.
  712. if (fAction == raAccept && (allowedActions & ACTION_ACCEPT))
  713. {
  714. IASTraceString("Extension action: Accept");
  716. authType.store(request);
  718. request.SetResponse(IAS_RESPONSE_ACCESS_ACCEPT);
  719. retval = IAS_REQUEST_STATUS_CONTINUE;
  720. handled = TRUE;
  721. }
  722. else if (fAction == raReject && (allowedActions & ACTION_REJECT))
  723. {
  724. IASTraceString("Extension action: Reject");
  726. // In the reject case, we have to remove any existing
  727. // authentication type, because we may be an authorization
  728. // extension.
  729. DWORD attrId = IAS_ATTRIBUTE_AUTHENTICATION_TYPE;
  730. request.RemoveAttributesByType(1, &attrId);
  732. authType.store(request);
  734. request.SetResponse(IAS_RESPONSE_ACCESS_REJECT, IAS_AUTH_FAILURE);
  735. retval = IAS_REQUEST_STATUS_HANDLED;
  736. handled = TRUE;
  737. }
  738. else
  739. {
  740. IASTraceString("Extension action: Continue");
  741. }
  743. // Store the outAttrs (if any).
  744. if (outAttrs)
  745. {
  746. StoreBaseCampAttributes(request, outAttrs);
  747. }
  748. }
  750. // Convert any VSAs back to internal format.
  751. filter.radiusToIAS(request);
  752. }
  753. catch (const _com_error& ce)
  754. {
  755. IASTraceExcept();
  757. pRequest->SetResponse(IAS_RESPONSE_DISCARD_PACKET, ce.Error());
  758. retval = IAS_REQUEST_STATUS_ABORT;
  759. }
  761. // Clean up the attributes.
  762. FreeBaseCampAttributes(pAttrs);
  764. return retval;
  765. }