Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

619 lines
13 KiB

  1. /*++
  2. Copyright (c) 1991 Microsoft Corporation
  3. Module Name:
  4. blsecret.c
  5. Abstract:
  6. This module contains the code to read and write secrets from disk.
  7. Author:
  8. Adam Barr (adamba) 13-June-1997
  9. Revision History:
  10. --*/
  11. #include "bootlib.h"
  12. #define SEC_FAR
  13. typedef BOOLEAN BOOL;
  14. typedef unsigned char BYTE, *PBYTE;
  15. typedef unsigned long DWORD;
  16. #define LM20_PWLEN 14
  17. #include "crypt.h"
  18. #include "rc4.h"
  19. //
  20. // Defined in the bootssp library.
  21. //
  22. BOOL
  23. CalculateLmOwfPassword(
  24. IN PLM_PASSWORD LmPassword,
  25. OUT PLM_OWF_PASSWORD LmOwfPassword
  26. );
  27. BOOL
  28. CalculateNtOwfPassword(
  29. IN PNT_PASSWORD NtPassword,
  30. OUT PNT_OWF_PASSWORD NtOwfPassword
  31. );
  32. // This must be evenly divisible by sizeof(USHORT)
  33. #define ASSUMED_SECTOR_SIZE 512
  34. #if 0
  35. VOID
  36. BlpDumpSector(
  37. PUCHAR Sector
  38. )
  39. {
  40. int i, j;
  41. PUCHAR SectorChar = (PUCHAR)Sector;
  42. for (i = 0; i < ASSUMED_SECTOR_SIZE; i+= 16) {
  43. for (j = 0; j < 16; j++) {
  44. DbgPrint("%2.2x ", SectorChar[i + j]);
  45. }
  46. DbgPrint(" ");
  47. for (j = 0; j < 16; j++) {
  48. if ((SectorChar[i+j] >= ' ') && (SectorChar[i+j] < '~')) {
  49. DbgPrint("%c", SectorChar[i+j]);
  50. } else {
  51. DbgPrint(".");
  52. }
  53. }
  54. DbgPrint("\n");
  55. }
  56. }
  57. #endif
  58. #if defined(REMOTE_BOOT)
  59. ARC_STATUS
  60. BlOpenRawDisk(
  61. PULONG FileId
  62. )
  63. /*++
  64. Routine Description:
  65. This routine opens the raw disk for read/write.
  66. Arguments:
  67. FileId - returns the FileId is successful, for use in subsequent calls.
  68. Return Value:
  69. The status return from the ArcOpen.
  70. --*/
  71. {
  72. ARC_STATUS ArcStatus;
  73. //
  74. // Open the disk in raw mode. Need to check if it is the right string for Alpha.
  75. // On x86 this eventually turns into an int13 read of disk 0x80 which
  76. // is what we want and is more-or-less guaranteed to be in the format
  77. // we expect (e.g. 512 byte sectors).
  78. //
  79. ArcStatus = ArcOpen("multi(0)disk(0)rdisk(0)partition(0)", ArcOpenReadWrite, FileId);
  80. if (ArcStatus != ESUCCESS) {
  81. DbgPrint("BlOpenRawDisk: ArcStatus on ArcOpen: %x\n", ArcStatus);
  82. }
  83. return ArcStatus;
  84. }
  85. ARC_STATUS
  86. BlCloseRawDisk(
  87. ULONG FileId
  88. )
  89. /*++
  90. Routine Description:
  91. This routine closes the raw disk.
  92. Arguments:
  93. FileId - The FileId returned by BlOpenRawDisk.
  94. Return Value:
  95. The status return from the ArcClose.
  96. --*/
  97. {
  98. return ArcClose(FileId);
  99. }
  100. ARC_STATUS
  101. BlCheckForFreeSectors (
  102. ULONG FileId
  103. )
  104. /*++
  105. Routine Description:
  106. This routine makes sure that the MBR looks correct and that there
  107. is nothing installed (OnTrack or EZ-Drive -- need to detect
  108. NT fault-tolerance also) that would prevent us from using the third
  109. sector for storing the password secret.
  110. Arguments:
  111. FileId - The FileId returned by BlOpenRawDisk.
  112. Return Value:
  113. ESUCCESS if the disk is OK, or an error.
  114. --*/
  115. {
  116. ARC_STATUS ArcStatus;
  117. USHORT Sector[ASSUMED_SECTOR_SIZE/sizeof(USHORT)];
  118. ULONG BytesProcessed;
  119. PPARTITION_DESCRIPTOR FirstPartition;
  120. LARGE_INTEGER SeekPosition;
  121. //
  122. // Make sure we are at the beginning of the disk.
  123. //
  124. SeekPosition.QuadPart = 0;
  125. ArcStatus = ArcSeek(FileId, &SeekPosition, SeekAbsolute);
  126. if (ArcStatus != ESUCCESS) {
  127. DbgPrint("BlCheckForFreeSectors: ArcStatus on ArcSeek: %x\n", ArcStatus);
  128. return ArcStatus;
  129. }
  130. //
  131. // Read the MBR at the start of the disk.
  132. //
  133. ArcStatus = ArcRead(FileId, Sector, ASSUMED_SECTOR_SIZE, &BytesProcessed);
  134. if (ArcStatus != ESUCCESS) {
  135. DbgPrint("BlCheckForFreeSectors: ArcStatus on ArcRead MBR: %x\n", ArcStatus);
  136. return ArcStatus;
  137. }
  138. #if 0
  139. BlpDumpSector((PUCHAR)Sector);
  140. #endif
  141. //
  142. // Make sure the signature is OK, and that the type of partition
  143. // 0 is not 0x54 (OnTrack) or 0x55 (EZ-Drive).
  144. //
  145. if (Sector[BOOT_SIGNATURE_OFFSET] != BOOT_RECORD_SIGNATURE) {
  146. DbgPrint("BlCheckForFreeSectors: Boot record signature %x not found (%x found)\n",
  147. BOOT_RECORD_SIGNATURE,
  148. Sector[BOOT_SIGNATURE_OFFSET] );
  149. return EINVAL;
  150. }
  151. //
  152. // FirstPartition is the first entry in the partition table.
  153. //
  154. FirstPartition = (PPARTITION_DESCRIPTOR)&Sector[PARTITION_TABLE_OFFSET];
  155. if ((FirstPartition->PartitionType == 0x54) ||
  156. (FirstPartition->PartitionType == 0x55)) {
  157. DbgPrint("BlCheckForFreeSectors: First partition has type %x, exiting\n", FirstPartition->PartitionType);
  158. return EINVAL;
  159. }
  160. DbgPrint("BlCheckForFreeSectors: Partition type is %d\n", FirstPartition->PartitionType);
  161. #if 0
  162. //
  163. // Make the active entry the first one in the partition table.
  164. //
  165. if ((FirstPartition->ActiveFlag & PARTITION_ACTIVE_FLAG) != PARTITION_ACTIVE_FLAG) {
  166. PPARTITION_DESCRIPTOR ActivePartition;
  167. PARTITION_DESCRIPTOR TempPartition;
  168. ULONG i;
  169. ActivePartition = FirstPartition;
  170. for (i = 1; i < NUM_PARTITION_TABLE_ENTRIES; i++) {
  171. ++ActivePartition;
  172. if ((ActivePartition->ActiveFlag & PARTITION_ACTIVE_FLAG) == PARTITION_ACTIVE_FLAG) {
  173. DbgPrint("BlCheckForFreeSector: Moving active partition %d to the front\n", i);
  174. TempPartition = *FirstPartition;
  175. *FirstPartition = *ActivePartition;
  176. *ActivePartition = TempPartition;
  177. break;
  178. }
  179. }
  180. if (i == NUM_PARTITION_TABLE_ENTRIES) {
  181. DbgPrint("BlCheckForFreeSector: Could not find an active partition!!\n");
  182. } else {
  183. ArcStatus = ArcSeek(FileId, &SeekPosition, SeekAbsolute);
  184. if (ArcStatus != ESUCCESS) {
  185. DbgPrint("BlCheckForFreeSectors: ArcStatus on ArcSeek: %x\n", ArcStatus);
  186. return ArcStatus;
  187. }
  188. ArcStatus = ArcWrite(FileId, Sector, ASSUMED_SECTOR_SIZE, &BytesProcessed);
  189. if ((ArcStatus != ESUCCESS) ||
  190. (BytesProcessed != ASSUMED_SECTOR_SIZE)) {
  191. DbgPrint("BlCheckForFreeSectors: ArcStatus on ArcWrite MBR: %x (%x)\n", ArcStatus, BytesProcessed);
  192. return ArcStatus;
  193. }
  194. }
  195. }
  196. #endif
  197. return ESUCCESS;
  198. }
  199. ARC_STATUS
  200. BlReadSecret(
  201. ULONG FileId,
  202. PRI_SECRET Secret
  203. )
  204. /*++
  205. Routine Description:
  206. This routine reads the secret from the disk, if present.
  207. Arguments:
  208. FileId - The FileId returned by BlOpenRawDisk.
  209. Return Value:
  210. ESUCCESS if the secret is OK, an error otherwise.
  211. --*/
  212. {
  213. ARC_STATUS ArcStatus;
  214. ULONG BytesRead;
  215. LARGE_INTEGER SeekPosition;
  216. //
  217. // Seek to the third sector.
  218. //
  219. SeekPosition.QuadPart = 2 * ASSUMED_SECTOR_SIZE;
  220. ArcStatus = ArcSeek(FileId, &SeekPosition, SeekAbsolute);
  221. if (ArcStatus != ESUCCESS) {
  222. DbgPrint("BlReadSecret: ArcStatus on ArcSeek: %x\n", ArcStatus);
  223. return ArcStatus;
  224. }
  225. //
  226. // Read a secret-sized chunk.
  227. //
  228. ArcStatus = ArcRead(FileId, Secret, sizeof(RI_SECRET), &BytesRead);
  229. if ((ArcStatus != ESUCCESS) ||
  230. (BytesRead != sizeof(RI_SECRET))) {
  231. DbgPrint("BlReadSecret: ArcStatus on ArcRead secret: %x, read %d\n", ArcStatus, BytesRead);
  232. return ArcStatus;
  233. }
  234. if (memcmp(Secret->Signature, RI_SECRET_SIGNATURE, 4) != 0) {
  235. DbgPrint("BlReadSecret: No signature found\n");
  236. return EINVAL;
  237. }
  238. return ESUCCESS;
  239. }
  240. ARC_STATUS
  241. BlWriteSecret(
  242. ULONG FileId,
  243. PRI_SECRET Secret
  244. )
  245. /*++
  246. Routine Description:
  247. This routine writes the secret to the disk.
  248. Arguments:
  249. FileId - The FileId returned by BlOpenRawDisk.
  250. Return Value:
  251. ESUCCESS if the secret is written OK, an error otherwise.
  252. --*/
  253. {
  254. ARC_STATUS ArcStatus;
  255. ULONG BytesWritten;
  256. LARGE_INTEGER SeekPosition;
  257. //
  258. // Seek to the third sector.
  259. //
  260. SeekPosition.QuadPart = 2 * ASSUMED_SECTOR_SIZE;
  261. ArcStatus = ArcSeek(FileId, &SeekPosition, SeekAbsolute);
  262. if (ArcStatus != ESUCCESS) {
  263. DbgPrint("BlWriteSecret: ArcStatus on ArcSeek: %x\n", ArcStatus);
  264. return ArcStatus;
  265. }
  266. //
  267. // Write a secret-sized chunk.
  268. //
  269. ArcStatus = ArcWrite(FileId, Secret, sizeof(RI_SECRET), &BytesWritten);
  270. if ((ArcStatus != ESUCCESS) ||
  271. (BytesWritten != sizeof(RI_SECRET))) {
  272. DbgPrint("BlWriteSecret: ArcStatus on ArcWrite secret: %x, wrote %d\n", ArcStatus, BytesWritten);
  273. return ArcStatus;
  274. }
  275. return ESUCCESS;
  276. }
  277. #endif // defined(REMOTE_BOOT)
  278. VOID
  279. BlInitializeSecret(
  280. IN PUCHAR Domain,
  281. IN PUCHAR User,
  282. IN PUCHAR LmOwfPassword1,
  283. IN PUCHAR NtOwfPassword1,
  284. #if defined(REMOTE_BOOT)
  285. IN PUCHAR LmOwfPassword2 OPTIONAL,
  286. IN PUCHAR NtOwfPassword2 OPTIONAL,
  287. #endif // defined(REMOTE_BOOT)
  288. IN PUCHAR Sid,
  289. IN OUT PRI_SECRET Secret
  290. )
  291. /*++
  292. Routine Description:
  293. This routine initializes the secret structures. The passwords
  294. are OWFed and then encrypted with the User string.
  295. Arguments:
  296. Return Value:
  297. None.
  298. --*/
  299. {
  300. int Length;
  301. int i;
  302. struct RC4_KEYSTRUCT Key;
  303. memset(Secret, 0, sizeof(RI_SECRET));
  304. memcpy(Secret->Signature, RI_SECRET_SIGNATURE, 4);
  305. Secret->Version = 1;
  306. Length = strlen(Domain);
  307. memcpy(Secret->Domain, Domain, Length);
  308. Length = strlen(User);
  309. memcpy(Secret->User, User, Length);
  310. memcpy(Secret->Sid, Sid, RI_SECRET_SID_SIZE);
  311. //
  312. // Encrypt the passwords using the user name.
  313. //
  314. #if defined(BL_USE_LM_PASSWORD)
  315. memcpy(Secret->LmEncryptedPassword1, LmOwfPassword1, LM_OWF_PASSWORD_SIZE);
  316. rc4_key(&Key, strlen(User), User);
  317. rc4(&Key, LM_OWF_PASSWORD_SIZE, Secret->LmEncryptedPassword1);
  318. #if defined(REMOTE_BOOT)
  319. if (LmOwfPassword2 != NULL) {
  320. memcpy(Secret->LmEncryptedPassword2, LmOwfPassword2, LM_OWF_PASSWORD_SIZE);
  321. rc4_key(&Key, strlen(User), User);
  322. rc4(&Key, LM_OWF_PASSWORD_SIZE, Secret->LmEncryptedPassword2);
  323. }
  324. #endif // defined(REMOTE_BOOT)
  325. #endif // defined(BL_USE_LM_PASSWORD)
  326. memcpy(Secret->NtEncryptedPassword1, NtOwfPassword1, NT_OWF_PASSWORD_SIZE);
  327. rc4_key(&Key, strlen(User), User);
  328. rc4(&Key, NT_OWF_PASSWORD_SIZE, Secret->NtEncryptedPassword1);
  329. #if defined(REMOTE_BOOT)
  330. if (NtOwfPassword2 != NULL) {
  331. memcpy(Secret->NtEncryptedPassword2, NtOwfPassword2, NT_OWF_PASSWORD_SIZE);
  332. rc4_key(&Key, strlen(User), User);
  333. rc4(&Key, NT_OWF_PASSWORD_SIZE, Secret->NtEncryptedPassword2);
  334. }
  335. #endif // defined(REMOTE_BOOT)
  336. }
  337. #if defined(REMOTE_BOOT_SECURITY)
  338. VOID
  339. BlParseSecret(
  340. IN OUT PUCHAR Domain,
  341. IN OUT PUCHAR User,
  342. IN OUT PUCHAR LmOwfPassword1,
  343. IN OUT PUCHAR NtOwfPassword1,
  344. IN OUT PUCHAR LmOwfPassword2,
  345. IN OUT PUCHAR NtOwfPassword2,
  346. IN OUT PUCHAR Sid,
  347. IN PRI_SECRET Secret
  348. )
  349. /*++
  350. Routine Description:
  351. This routine parses a secret structure. The passwords
  352. are unencrypted with the User string and returned in OWF form.
  353. Arguments:
  354. Return Value:
  355. None.
  356. --*/
  357. {
  358. struct RC4_KEYSTRUCT Key;
  359. memcpy(Domain, Secret->Domain, RI_SECRET_DOMAIN_SIZE);
  360. Domain[RI_SECRET_DOMAIN_SIZE] = '\0';
  361. memcpy(User, Secret->User, RI_SECRET_USER_SIZE);
  362. User[RI_SECRET_USER_SIZE] = '\0';
  363. memcpy(Sid, Secret->Sid, RI_SECRET_SID_SIZE);
  364. //
  365. // Decrypt the passwords using the user name.
  366. //
  367. #if defined(BL_USE_LM_PASSWORD)
  368. memcpy(LmOwfPassword1, Secret->LmEncryptedPassword1, LM_OWF_PASSWORD_SIZE);
  369. rc4_key(&Key, strlen(User), User);
  370. rc4(&Key, LM_OWF_PASSWORD_SIZE, LmOwfPassword1);
  371. memcpy(LmOwfPassword2, Secret->LmEncryptedPassword2, LM_OWF_PASSWORD_SIZE);
  372. rc4_key(&Key, strlen(User), User);
  373. rc4(&Key, LM_OWF_PASSWORD_SIZE, LmOwfPassword2);
  374. #else
  375. memset(LmOwfPassword1, 0, LM_OWF_PASSWORD_SIZE);
  376. memset(LmOwfPassword2, 0, LM_OWF_PASSWORD_SIZE);
  377. #endif // defined(BL_USE_LM_PASSWORD)
  378. memcpy(NtOwfPassword1, Secret->NtEncryptedPassword1, NT_OWF_PASSWORD_SIZE);
  379. rc4_key(&Key, strlen(User), User);
  380. rc4(&Key, NT_OWF_PASSWORD_SIZE, NtOwfPassword1);
  381. memcpy(NtOwfPassword2, Secret->NtEncryptedPassword2, NT_OWF_PASSWORD_SIZE);
  382. rc4_key(&Key, strlen(User), User);
  383. rc4(&Key, NT_OWF_PASSWORD_SIZE, NtOwfPassword2);
  384. }
  385. #endif // defined(REMOTE_BOOT_SECURITY)
  386. VOID
  387. BlOwfPassword(
  388. IN PUCHAR Password,
  389. IN PUNICODE_STRING UnicodePassword,
  390. IN OUT PUCHAR LmOwfPassword,
  391. IN OUT PUCHAR NtOwfPassword
  392. )
  393. {
  394. char TmpText[CLEAR_BLOCK_LENGTH*2] = {'\0'};
  395. int Length;
  396. int i;
  397. Length = strlen(Password);
  398. //
  399. // Copy the string to TmpText, converting to uppercase.
  400. //
  401. if (Length == 0 || Length > LM20_PWLEN) {
  402. TmpText[0] = 0;
  403. } else {
  404. for (i = 0; i <= Length; i++) {
  405. TmpText[i] = (char)toupper(Password[i]);
  406. }
  407. }
  408. CalculateLmOwfPassword((PLM_PASSWORD)TmpText, (PLM_OWF_PASSWORD)LmOwfPassword);
  409. CalculateNtOwfPassword(UnicodePassword, (PNT_OWF_PASSWORD)NtOwfPassword);
  410. }