archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/ds/security/protocols/kerberos/common2/authen.cxx

453 lines
11 KiB
Raw Normal View History

Add source files
4 years ago
  1. //+---------------------------------------------------------------------------
  2. //
  3. // Microsoft Windows
  4. // Copyright (C) Microsoft Corporation, 1992 - 1993.
  5. //
  6. // File: authen.cxx
  7. //
  8. // Contents: Authenticator verification code
  9. //
  10. // Classes: CAuthenticatorList
  11. //
  12. // Functions: Compare, AuthenAllocate, AuthenFree
  13. //
  14. // History: 4-04-93 WadeR Created
  15. //
  16. //----------------------------------------------------------------------------
  18. #include <secpch2.hxx>
  19. #pragma hdrstop
  21. //
  22. // Security include files.
  23. //
  24. #include <kerbcomm.h>
  25. #include <authen.hxx>
  26. extern "C"
  27. {
  28. #include <md5.h>
  29. }
  34. typedef struct _KERB_AUTHEN_HEADER
  35. {
  36. LARGE_INTEGER tsTime;
  37. BYTE Checksum[MD5DIGESTLEN];
  38. } KERB_AUTHEN_HEADER, *PKERB_AUTHEN_HEADER;
  40. #define KERB_MAX_AUTHEN_SIZE 1024
  42. //+---------------------------------------------------------------------------
  43. //
  44. // Function: Compare
  45. //
  46. // Synopsis: Compares two KerbInternalAuthenticators for RTL_GENERIC_TABLE
  47. //
  48. // Effects: none.
  49. //
  50. // Arguments: [Table] -- ignored
  51. // [FirstStruct] --
  52. // [SecondStruct] --
  53. //
  54. // Returns: GenericEqual, GenericLessThan, GenericGreaterThan.
  55. //
  56. // Algorithm: Sorts by TimeStamp first, than nonce, then principal, and
  57. // finally by realm
  58. //
  59. // History: 4-04-93 WadeR Created
  60. //
  61. // Notes: This must impose a complete ordering. The table package
  62. // will not allow an authenticator to be inserted in the table
  63. // if it is equal (according to this function) to one already
  64. // there.
  65. //
  66. //----------------------------------------------------------------------------
  68. RTL_GENERIC_COMPARE_RESULTS
  69. Compare(
  70. IN struct _RTL_GENERIC_TABLE *Table,
  71. IN PVOID FirstStruct,
  72. IN PVOID SecondStruct
  73. )
  74. {
  75. PKERB_AUTHEN_HEADER pOne, pTwo;
  76. RTL_GENERIC_COMPARE_RESULTS ret;
  77. int comp;
  78. pOne = (PKERB_AUTHEN_HEADER) FirstStruct ;
  79. pTwo = (PKERB_AUTHEN_HEADER) SecondStruct ;
  81. DsysAssert( (pOne != NULL) && (pTwo != NULL) );
  84. comp = memcmp( pOne->Checksum,
  85. pTwo->Checksum,
  86. MD5DIGESTLEN );
  87. if (comp > 0)
  88. {
  89. ret = GenericGreaterThan;
  90. }
  91. else if (comp < 0)
  92. {
  93. ret = GenericLessThan;
  94. }
  95. else
  96. {
  97. ret = GenericEqual;
  98. }
  100. return(ret);
  101. }
  104. //+---------------------------------------------------------------------------
  105. //
  106. // Function: AuthenAllocate
  107. //
  108. // Synopsis: Memory allocator for RTL_GENERIC_TABLE
  109. //
  110. // Effects: Allcoates memory.
  111. //
  112. // Arguments: [Table] -- ignored
  113. // [ByteSize] -- number of bytes to allocate
  114. //
  115. // Signals: Throws exception on failure.
  116. //
  117. // History: 4-04-93 WadeR Created
  118. //
  119. // Notes:
  120. //
  121. //----------------------------------------------------------------------------
  123. PVOID
  124. AuthenAllocate( struct _RTL_GENERIC_TABLE *Table, CLONG ByteSize )
  125. {
  126. return(MIDL_user_allocate ( ByteSize ) );
  127. }
  131. //+---------------------------------------------------------------------------
  132. //
  133. // Function: AuthenFree
  134. //
  135. // Synopsis: Memory deallacotor for the RTL_GENERIC_TABLE.
  136. //
  137. // Effects: frees memory.
  138. //
  139. // Arguments: [Table] -- ingnored
  140. // [Buffer] -- buffer to free
  141. //
  142. // History: 4-04-93 WadeR Created
  143. //
  144. // Notes:
  145. //
  146. //----------------------------------------------------------------------------
  148. VOID
  149. AuthenFree( struct _RTL_GENERIC_TABLE *Table, PVOID Buffer )
  150. {
  151. MIDL_user_free ( Buffer );
  152. }
  156. //+---------------------------------------------------------------------------
  157. //
  158. // Member: CAuthenticatorList::CAuthenticatorList
  159. //
  160. // Synopsis: Initializes the authenticator list.
  161. //
  162. // Effects: Calls RtlInitializeGenericTable (does not allocate memory).
  163. //
  164. // Arguments: [tsMax] -- Maximum acceptable age for an authenticator.
  165. //
  166. // History: 4-04-93 WadeR Created
  167. //
  168. // Notes:
  169. //
  170. //----------------------------------------------------------------------------
  172. CAuthenticatorList::CAuthenticatorList(LARGE_INTEGER tsMax)
  173. :_tsMaxAge(tsMax)
  174. {
  175. NTSTATUS Status;
  176. // The last parameter is the "user defined context" for this table.
  177. // I have no idea what this means. As far as I can tell from the code
  178. // this "context" is never refered to by the table routines.
  180. RtlInitializeGenericTable( &_Table, Compare, AuthenAllocate, AuthenFree, NULL );
  181. Status = RtlInitializeCriticalSection(&_Mutex);
  182. DsysAssert(NT_SUCCESS(Status));
  184. }
  187. //+---------------------------------------------------------------------------
  188. //
  189. // Member: CAuthenticatorList::~CAuthenticatorList
  190. //
  191. // Synopsis: Destructor removes all authenticators in the list.
  192. //
  193. // Effects: Frees memory
  194. //
  195. // Arguments: (none)
  196. //
  197. // Algorithm: Uses "Age" to remove everything.
  198. //
  199. // History: 4-04-93 WadeR Created
  200. //
  201. // Notes:
  202. //
  203. //----------------------------------------------------------------------------
  205. CAuthenticatorList::~CAuthenticatorList()
  206. {
  207. LARGE_INTEGER tsForever;
  208. SetMaxTimeStamp( tsForever );
  209. (void) Age( tsForever );
  210. DsysAssert( RtlIsGenericTableEmpty( &_Table ) );
  211. RtlDeleteCriticalSection(&_Mutex);
  212. }
  215. //+---------------------------------------------------------------------------
  216. //
  217. // Member: CAuthenticatorList::SetMaxAge
  218. //
  219. // Synopsis: Changes the new maximum age for an Authenticator.
  220. //
  221. // Effects: May cause some authenticators to be aged out.
  222. //
  223. // Arguments: [tsNewMaxAge] --
  224. //
  225. // Algorithm:
  226. //
  227. // History: 24-May-94 wader Created
  228. //
  229. // Notes:
  230. //
  231. //----------------------------------------------------------------------------
  233. void
  234. CAuthenticatorList::SetMaxAge( LARGE_INTEGER tsNewMaxAge )
  235. {
  236. LARGE_INTEGER tsNow;
  237. LARGE_INTEGER tsCutoff;
  239. _tsMaxAge = tsNewMaxAge;
  241. GetSystemTimeAsFileTime((PFILETIME) &tsNow );
  243. tsCutoff.QuadPart = tsNow.QuadPart - _tsMaxAge.QuadPart;
  245. (void) Age( tsCutoff );
  246. }
  249. //+---------------------------------------------------------------------------
  250. //
  251. // Member: CAuthenticatorList::Age
  252. //
  253. // Synopsis: Deletes all entries from the table that are earlier than
  254. // the given time.
  255. //
  256. // Effects: Frees memory
  257. //
  258. // Arguments: [tsCutoffTime] -- Delete all elements before this time.
  259. //
  260. // Returns: number of elements deleted.
  261. //
  262. // Algorithm: Get the oldest element in the table. If it is older than
  263. // the time, delete it and loop back. Else return.
  264. //
  265. // History: 4-04-93 WadeR Created
  266. //
  267. // Notes: The table contains the packed forms of Authenticators (as
  268. // created by PackAuthenticator in Kerbsupp). The TimeStamp
  269. // must be first.
  270. //
  271. //----------------------------------------------------------------------------
  273. ULONG
  274. CAuthenticatorList::Age(const LARGE_INTEGER& tsCutoffTime)
  275. {
  276. PKERB_AUTHEN_HEADER pahOldest;
  278. BOOL fDeleted;
  279. ULONG cDeleted = 0;
  281. do
  282. {
  283. // Number 0 is the oldest element in the table.
  284. pahOldest = (PKERB_AUTHEN_HEADER) RtlGetElementGenericTable( &_Table, 0 );
  285. if ((pahOldest != NULL) &&
  286. (pahOldest->tsTime.QuadPart < tsCutoffTime.QuadPart))
  287. {
  288. fDeleted = RtlDeleteElementGenericTable( &_Table, pahOldest );
  289. DsysAssert( fDeleted );
  290. cDeleted++;
  291. }
  292. else
  293. {
  294. fDeleted = FALSE;
  295. }
  296. } while ( fDeleted );
  297. return(cDeleted);
  298. }
  300. //+---------------------------------------------------------------------------
  301. //
  302. // Member: CAuthenticatorList::Check
  303. //
  304. // Synopsis: Determines if an authenticator is valid.
  305. //
  306. // Effects: Allocates memory
  307. //
  308. // Arguments: [pedAuth] -- Authenticator to check (decrypted, but marshalled)
  309. //
  310. // Returns: KDC_ERR_NONE if authenticator is OK.
  311. // KRB_AP_ERR_SKEW if authenticator is expired (assumes clock skew).
  312. // KRB_AP_ERR_REPEAT if authenticator has been used already.
  313. // some other error if something throws an exception.
  314. //
  315. // Signals: none.
  316. //
  317. // Modifies: _Table
  318. //
  319. // History: 4-04-93 WadeR Created
  320. //
  321. // Notes:
  322. //
  323. //----------------------------------------------------------------------------
  325. KERBERR
  326. CAuthenticatorList::Check(
  327. IN PVOID Buffer,
  328. IN ULONG BufferLength,
  329. IN OPTIONAL PVOID OptionalBuffer,
  330. IN OPTIONAL ULONG OptionalBufferLength,
  331. IN PLARGE_INTEGER Time,
  332. IN BOOLEAN Insert
  333. )
  334. {
  335. PKERB_AUTHEN_HEADER pDataInTable = NULL;
  336. KERBERR KerbErr = KDC_ERR_NONE;
  339. //
  340. // Hold the mutex until we have finished the insert and the Age
  341. // operations.
  342. //
  344. RtlEnterCriticalSection(&_Mutex);
  346. __try
  347. {
  348. LARGE_INTEGER tsNow;
  349. LARGE_INTEGER tsCutoffPast;
  350. LARGE_INTEGER tsCutoffFuture;
  352. //
  353. // Determine the cut off time.
  354. //
  356. GetSystemTimeAsFileTime((PFILETIME) &tsNow );
  358. tsCutoffPast.QuadPart = tsNow.QuadPart - _tsMaxAge.QuadPart;
  359. tsCutoffFuture.QuadPart = tsNow.QuadPart + _tsMaxAge.QuadPart;
  363. if ((Time->QuadPart < tsCutoffPast.QuadPart) ||
  364. (Time->QuadPart > tsCutoffFuture.QuadPart))
  365. {
  366. KerbErr = KRB_AP_ERR_SKEW;
  367. }
  368. else
  369. {
  370. BOOLEAN fIsNew;
  371. KERB_AUTHEN_HEADER Header;
  372. MD5_CTX Md5Context;
  374. //
  375. // Store the first chunk of the authenticator. If the authenticator
  376. // doesn't fit on the stack, allocate some space on the heap.
  377. //
  379. Header.tsTime = *Time;
  380. MD5Init(
  381. &Md5Context
  382. );
  384. MD5Update(
  385. &Md5Context,
  386. (PBYTE) Buffer,
  387. BufferLength
  388. );
  389. if ((OptionalBuffer != NULL) && (OptionalBufferLength != 0))
  390. {
  391. MD5Update(
  392. &Md5Context,
  393. (PBYTE) OptionalBuffer,
  394. OptionalBufferLength
  395. );
  396. }
  397. MD5Final(
  398. &Md5Context
  399. );
  400. RtlCopyMemory(
  401. Header.Checksum,
  402. Md5Context.digest,
  403. MD5DIGESTLEN
  404. );
  406. if (!Insert)
  407. {
  408. pDataInTable = (PKERB_AUTHEN_HEADER)RtlLookupElementGenericTable(
  409. &_Table,
  410. &Header );
  412. if (NULL == pDataInTable)
  413. {
  414. KerbErr = KDC_ERR_NONE;
  415. }
  416. else
  417. {
  418. KerbErr = KRB_AP_ERR_REPEAT;
  419. }
  420. }
  421. else
  422. {
  423. RtlInsertElementGenericTable( &_Table,
  424. &Header,
  425. sizeof( KERB_AUTHEN_HEADER ),
  426. &fIsNew );
  428. if (fIsNew)
  429. {
  430. KerbErr = KDC_ERR_NONE;
  431. }
  432. else
  433. {
  434. KerbErr = KRB_AP_ERR_REPEAT;
  435. }
  436. }
  438. }
  440. // Age out the old ones.
  442. (void) Age( tsCutoffPast );
  443. }
  444. __except(EXCEPTION_EXECUTE_HANDLER)
  445. {
  446. KerbErr = KRB_ERR_GENERIC;
  447. }
  449. RtlLeaveCriticalSection(&_Mutex);
  451. return(KerbErr);
  452. }