archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
7 Commits
1 Branch
0 Tags
2.0 GiB
Tree: 9769ad7c3d
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '9769ad7c3d'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ias/providers/ntuser/lsa/ezlogon.c

406 lines
9.6 KiB
Raw Normal View History

Add source files
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) 1998, Microsoft Corp. All rights reserved.
  4. //
  5. // FILE
  6. //
  7. // ezlogon.c
  8. //
  9. // SYNOPSIS
  10. //
  11. // Defines the IAS wrapper around LsaLogonUser
  12. //
  13. // MODIFICATION HISTORY
  14. //
  15. // 08/15/1998 Original version.
  16. // 09/09/1998 Fix AV when logon domain doesn't match user domain.
  17. // 10/02/1998 NULL out handle when LsaLogonUser fails.
  18. // 10/11/1998 Use SubStatus for STATUS_ACCOUNT_RESTRICTION.
  19. // 10/22/1998 PIAS_LOGON_HOURS is now a mandatory parameter.
  20. // 01/28/1999 Remove LogonDomainName check.
  21. // 04/19/1999 Add IASPurgeTicketCache.
  22. //
  23. ///////////////////////////////////////////////////////////////////////////////
  25. #include <nt.h>
  26. #include <ntrtl.h>
  27. #include <nturtl.h>
  28. #include <ntlsa.h>
  29. #include <kerberos.h>
  30. #include <windows.h>
  32. #include <ezlogon.h>
  33. #include <iaslsa.h>
  34. #include <iastrace.h>
  36. CONST CHAR LOGON_PROCESS_NAME[] = "IAS";
  37. CONST CHAR TOKEN_SOURCE_NAME[TOKEN_SOURCE_LENGTH] = "IAS";
  39. // Number of milliseconds in a week.
  40. #define MSEC_PER_WEEK (1000 * 60 * 60 * 24 * 7)
  42. //////////
  43. // Misc. global variables used for logons.
  44. //////////
  45. LSA_HANDLE theLogonProcess; // The handle for the logon process.
  46. ULONG theMSV1_0_Package; // The MSV1_0 authentication package.
  47. ULONG theKerberosPackage; // The Kerberos authentication package.
  48. STRING theOriginName; // The origin of the logon requests.
  49. TOKEN_SOURCE theSourceContext; // The source context of the logon requests.
  52. /////////////////////////////////////////////////////////////////////////////// //
  53. // FUNCTION
  54. //
  55. // IASLogonInitialize
  56. //
  57. // DESCRIPTION
  58. //
  59. // Registers the logon process.
  60. //
  61. ///////////////////////////////////////////////////////////////////////////////
  62. DWORD
  63. WINAPI
  64. IASLogonInitialize( VOID )
  65. {
  66. DWORD status;
  67. BOOLEAN wasEnabled;
  68. LSA_STRING processName, packageName;
  69. LSA_OPERATIONAL_MODE opMode;
  71. //////////
  72. // Enable SE_TCB_PRIVILEGE.
  73. //////////
  75. status = RtlAdjustPrivilege(
  76. SE_TCB_PRIVILEGE,
  77. TRUE,
  78. FALSE,
  79. &wasEnabled
  80. );
  81. if (!NT_SUCCESS(status)) { goto exit; }
  83. //////////
  84. // Register as a logon process.
  85. //////////
  87. RtlInitString(
  88. &processName,
  89. LOGON_PROCESS_NAME
  90. );
  92. status = LsaRegisterLogonProcess(
  93. &processName,
  94. &theLogonProcess,
  95. &opMode
  96. );
  97. if (!NT_SUCCESS(status)) { goto exit; }
  99. //////////
  100. // Lookup the MSV1_0 authentication package.
  101. //////////
  103. RtlInitString(
  104. &packageName,
  105. MSV1_0_PACKAGE_NAME
  106. );
  108. status = LsaLookupAuthenticationPackage(
  109. theLogonProcess,
  110. &packageName,
  111. &theMSV1_0_Package
  112. );
  113. if (!NT_SUCCESS(status)) { goto deregister; }
  115. //////////
  116. // Lookup the Kerberos authentication package.
  117. //////////
  119. RtlInitString(
  120. &packageName,
  121. MICROSOFT_KERBEROS_NAME_A
  122. );
  124. status = LsaLookupAuthenticationPackage(
  125. theLogonProcess,
  126. &packageName,
  127. &theKerberosPackage
  128. );
  129. if (!NT_SUCCESS(status)) { goto deregister; }
  131. //////////
  132. // Initialize the source context.
  133. //////////
  135. memcpy(theSourceContext.SourceName,
  136. TOKEN_SOURCE_NAME,
  137. TOKEN_SOURCE_LENGTH);
  138. status = NtAllocateLocallyUniqueId(
  139. &theSourceContext.SourceIdentifier
  140. );
  141. if (!NT_SUCCESS(status)) { goto deregister; }
  143. return NO_ERROR;
  145. deregister:
  146. LsaDeregisterLogonProcess(theLogonProcess);
  147. theLogonProcess = NULL;
  149. exit:
  150. return RtlNtStatusToDosError(status);
  151. }
  153. /////////////////////////////////////////////////////////////////////////////// //
  154. // FUNCTION
  155. //
  156. // IASLogonShutdown
  157. //
  158. // DESCRIPTION
  159. //
  160. // Deregisters the logon process.
  161. //
  162. ///////////////////////////////////////////////////////////////////////////////
  163. VOID
  164. WINAPI
  165. IASLogonShutdown( VOID )
  166. {
  167. LsaDeregisterLogonProcess(theLogonProcess);
  168. theLogonProcess = NULL;
  169. }
  171. /////////////////////////////////////////////////////////////////////////////// //
  172. // FUNCTION
  173. //
  174. // IASInitAuthInfo
  175. //
  176. // DESCRIPTION
  177. //
  178. // Initializes the fields common to all MSV1_0_LM20* structs.
  179. //
  180. ///////////////////////////////////////////////////////////////////////////////
  181. VOID
  182. WINAPI
  183. IASInitAuthInfo(
  184. IN PVOID AuthInfo,
  185. IN DWORD FixedLength,
  186. IN PCWSTR UserName,
  187. IN PCWSTR Domain,
  188. OUT PBYTE* Data
  189. )
  190. {
  191. PMSV1_0_LM20_LOGON logon;
  193. // Zero out the fixed data.
  194. memset(AuthInfo, 0, FixedLength);
  196. // Set Data to point just past the fixed struct.
  197. *Data = FixedLength + (PBYTE)AuthInfo;
  199. // This cast is safe since all LM20 structs have the same initial fields.
  200. logon = (PMSV1_0_LM20_LOGON)AuthInfo;
  202. // We always do Network logons.
  203. logon->MessageType = MsV1_0NetworkLogon;
  205. // Copy in the strings common to all logons.
  206. IASInitUnicodeString(logon->LogonDomainName, *Data, Domain);
  207. IASInitUnicodeString(logon->UserName, *Data, UserName);
  208. IASInitUnicodeString(logon->Workstation, *Data, L"");
  209. }
  211. /////////////////////////////////////////////////////////////////////////////// //
  212. // FUNCTION
  213. //
  214. // IASLogonUser
  215. //
  216. // DESCRIPTION
  217. //
  218. // Wrapper around LsaLogonUser.
  219. //
  220. ///////////////////////////////////////////////////////////////////////////////
  221. DWORD
  222. WINAPI
  223. IASLogonUser(
  224. IN PVOID AuthInfo,
  225. IN ULONG AuthInfoLength,
  226. OUT PMSV1_0_LM20_LOGON_PROFILE *Profile,
  227. OUT PHANDLE Token
  228. )
  229. {
  230. NTSTATUS status, SubStatus;
  231. PMSV1_0_LM20_LOGON_PROFILE ProfileBuffer;
  232. ULONG ProfileBufferLength;
  233. LUID LogonId;
  234. QUOTA_LIMITS Quotas;
  236. // Make sure the OUT arguments are NULL.
  237. *Token = NULL;
  238. ProfileBuffer = NULL;
  240. status = LsaLogonUser(
  241. theLogonProcess,
  242. &theOriginName,
  243. Network,
  244. theMSV1_0_Package,
  245. AuthInfo,
  246. AuthInfoLength,
  247. NULL,
  248. &theSourceContext,
  249. &ProfileBuffer,
  250. &ProfileBufferLength,
  251. &LogonId,
  252. Token,
  253. &Quotas,
  254. &SubStatus
  255. );
  257. if (!NT_SUCCESS(status))
  258. {
  259. // For account restrictions, we can get a more descriptive error
  260. // from the SubStatus.
  261. if (status == STATUS_ACCOUNT_RESTRICTION && !NT_SUCCESS(SubStatus))
  262. {
  263. status = SubStatus;
  264. }
  266. // Sometimes LsaLogonUser returns an invalid handle value on failure.
  267. *Token = NULL;
  268. }
  270. if (Profile)
  271. {
  272. // Return the profile if requested ...
  273. *Profile = ProfileBuffer;
  274. }
  275. else if (ProfileBuffer)
  276. {
  277. // ... otherwise free it.
  278. LsaFreeReturnBuffer(ProfileBuffer);
  279. }
  281. return RtlNtStatusToDosError(status);
  282. }
  284. /////////////////////////////////////////////////////////////////////////////// //
  285. // FUNCTION
  286. //
  287. // IASCheckAccountRestrictions
  288. //
  289. // DESCRIPTION
  290. //
  291. // Checks whether an account can be used for logon.
  292. //
  293. ///////////////////////////////////////////////////////////////////////////////
  294. DWORD
  295. WINAPI
  296. IASCheckAccountRestrictions(
  297. IN PLARGE_INTEGER AccountExpires,
  298. IN PIAS_LOGON_HOURS LogonHours
  299. )
  300. {
  301. LARGE_INTEGER now;
  302. TIME_ZONE_INFORMATION tzi;
  303. SYSTEMTIME st;
  304. DWORD unit;
  306. GetSystemTimeAsFileTime(
  307. (LPFILETIME)&now
  308. );
  310. // An expiration time of zero means 'never'.
  311. if (AccountExpires->QuadPart != 0 &&
  312. AccountExpires->QuadPart < now.QuadPart)
  313. {
  314. return ERROR_ACCOUNT_EXPIRED;
  315. }
  317. // If LogonHours is empty, then we're done.
  318. if (LogonHours->UnitsPerWeek == 0)
  319. {
  320. return NO_ERROR;
  321. }
  323. // The LogonHours array does not account for bias.
  324. switch (GetTimeZoneInformation(&tzi))
  325. {
  326. case TIME_ZONE_ID_UNKNOWN:
  327. case TIME_ZONE_ID_STANDARD:
  328. // Bias is in minutes.
  329. now.QuadPart -= 60 * 10000000 * (LONGLONG)tzi.StandardBias;
  330. break;
  332. case TIME_ZONE_ID_DAYLIGHT:
  333. // Bias is in minutes.
  334. now.QuadPart -= 60 * 10000000 * (LONGLONG)tzi.DaylightBias;
  335. break;
  337. default:
  338. return ERROR_INVALID_LOGON_HOURS;
  339. }
  341. FileTimeToSystemTime(
  342. (LPFILETIME)&now,
  343. &st
  344. );
  346. // Number of milliseconds into the week.
  347. unit = st.wMilliseconds +
  348. st.wSecond * 1000 +
  349. st.wMinute * 1000 * 60 +
  350. st.wHour * 1000 * 60 * 60 +
  351. st.wDayOfWeek * 1000 * 60 * 60 * 24;
  353. // Convert this to 'units'.
  354. unit /= (MSEC_PER_WEEK / (DWORD)LogonHours->UnitsPerWeek);
  356. // Test the appropriate bit.
  357. if ((LogonHours->LogonHours[unit / 8 ] & (1 << (unit % 8))) == 0)
  358. {
  359. return ERROR_INVALID_LOGON_HOURS;
  360. }
  362. return NO_ERROR;
  363. }
  365. /////////////////////////////////////////////////////////////////////////////// //
  366. // FUNCTION
  367. //
  368. // IASPurgeTicketCache
  369. //
  370. // DESCRIPTION
  371. //
  372. // Purges the Kerberos ticket cache.
  373. //
  374. ///////////////////////////////////////////////////////////////////////////////
  375. DWORD
  376. WINAPI
  377. IASPurgeTicketCache( VOID )
  378. {
  379. KERB_PURGE_TKT_CACHE_REQUEST request;
  380. NTSTATUS status, subStatus;
  381. PVOID response;
  382. ULONG responseLength;
  384. memset(&request, 0, sizeof(request));
  385. request.MessageType = KerbPurgeTicketCacheMessage;
  387. response = NULL;
  388. responseLength = 0;
  389. subStatus = 0;
  391. status = LsaCallAuthenticationPackage(
  392. theLogonProcess,
  393. theKerberosPackage,
  394. &request,
  395. sizeof(request),
  396. &response,
  397. &responseLength,
  398. &subStatus
  399. );
  400. if (NT_SUCCESS(status))
  401. {
  402. LsaFreeReturnBuffer(response);
  403. }
  405. return RtlNtStatusToDosError(status);
  406. }