archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/net/ias/protocol/proxy/proxy.cpp

746 lines
20 KiB
Raw Normal View History

Add source files
4 years ago
  1. ///////////////////////////////////////////////////////////////////////////////
  2. //
  3. // Copyright (c) 2000, Microsoft Corp. All rights reserved.
  4. //
  5. // FILE
  6. //
  7. // proxy.cpp
  8. //
  9. // SYNOPSIS
  10. //
  11. // Defines the class RadiusProxy.
  12. //
  13. // MODIFICATION HISTORY
  14. //
  15. // 01/26/2000 Original version.
  16. //
  17. ///////////////////////////////////////////////////////////////////////////////
  19. #include <proxypch.h>
  20. #include <datastore2.h>
  21. #include <proxy.h>
  22. #include <radpack.h>
  23. #include <iasevent.h>
  24. #include <iasinfo.h>
  25. #include <iasutil.h>
  26. #include <dsobj.h>
  28. ///////////////////////////////////////////////////////////////////////////////
  29. //
  30. // CLASS
  31. //
  32. // Resolver
  33. //
  34. // DESCRIPTION
  35. //
  36. // Utility class for resolving hostnames and iterating through the results.
  37. //
  38. ///////////////////////////////////////////////////////////////////////////////
  39. class Resolver
  40. {
  41. public:
  42. Resolver() throw ()
  43. : first(NULL), last(NULL)
  44. { }
  46. ~Resolver() throw ()
  47. { if (first != &addr) delete[] first; }
  49. // Returns true if the result set contains the specified address.
  50. bool contains(ULONG address) const throw ()
  51. {
  52. for (const ULONG* i = first; i != last; ++i)
  53. {
  54. if (*i == address) { return true; }
  55. }
  57. return false;
  58. }
  60. // Resolves the given name. The return value is the error code.
  61. ULONG resolve(const PCWSTR name = NULL) throw ()
  62. {
  63. // Clear out the existing result set.
  64. if (first != &addr)
  65. {
  66. delete[] first;
  67. first = last = NULL;
  68. }
  70. if (name)
  71. {
  72. // First try for a quick score on dotted decimal.
  73. addr = ias_inet_wtoh(name);
  74. if (addr != INADDR_NONE)
  75. {
  76. addr = htonl(addr);
  77. first = &addr;
  78. last = first + 1;
  79. return NO_ERROR;
  80. }
  81. }
  83. // That didn't work, so look up the name.
  84. PHOSTENT he = IASGetHostByName(name);
  85. if (!he) { return GetLastError(); }
  87. // Count the number of addresses returned.
  88. ULONG naddr = 0;
  89. while (he->h_addr_list[naddr]) { ++naddr; }
  91. // Allocate an array to hold them.
  92. first = last = new (std::nothrow) ULONG[naddr];
  93. if (first)
  94. {
  95. for (ULONG i = 0; i < naddr; ++i)
  96. {
  97. *last++ = *(PULONG)he->h_addr_list[i];
  98. }
  99. }
  101. LocalFree(he);
  103. return first ? NO_ERROR : WSA_NOT_ENOUGH_MEMORY;
  104. }
  106. const ULONG* begin() const throw ()
  107. { return first; }
  109. const ULONG* end() const throw ()
  110. { return last; }
  112. private:
  113. ULONG addr, *first, *last;
  115. // Not implemented.
  116. Resolver(const Resolver&);
  117. Resolver& operator=(const Resolver&);
  118. };
  120. ///////////////////////////////////////////////////////////////////////////////
  121. //
  122. // CLASS
  123. //
  124. // IASRemoteServer
  125. //
  126. // DESCRIPTION
  127. //
  128. // Extends RemoteServer to add IAS specific server information.
  129. //
  130. ///////////////////////////////////////////////////////////////////////////////
  131. class IASRemoteServer : public RemoteServer
  132. {
  133. public:
  134. IASRemoteServer(
  135. const RemoteServerConfig& config,
  136. RadiusRemoteServerEntry* entry
  137. )
  138. : RemoteServer(config),
  139. counters(entry)
  140. {
  141. // Create the Remote-Server-Address attribute.
  142. IASAttribute name(true);
  143. name->dwId = IAS_ATTRIBUTE_REMOTE_SERVER_ADDRESS;
  144. name->Value.itType = IASTYPE_INET_ADDR;
  145. name->Value.InetAddr = ntohl(config.ipAddress);
  146. attrs.push_back(name);
  148. // Update our PerfMon entry.
  149. if (counters)
  150. {
  151. counters->dwCounters[radiusAuthClientServerPortNumber] =
  152. ntohs(config.authPort);
  153. counters->dwCounters[radiusAccClientServerPortNumber] =
  154. ntohs(config.acctPort);
  155. }
  156. }
  158. // Attributes to be added to each request.
  159. IASAttributeVectorWithBuffer<1> attrs;
  161. // PerfMon counters.
  162. RadiusRemoteServerEntry* counters;
  163. };
  165. RadiusProxy::RadiusProxy()
  166. : engine(this)
  167. {
  168. }
  170. RadiusProxy::~RadiusProxy() throw ()
  171. {
  172. }
  174. STDMETHODIMP RadiusProxy::PutProperty(LONG Id, VARIANT* pValue)
  175. {
  176. if (pValue == NULL) { return E_INVALIDARG; }
  178. HRESULT hr;
  179. switch (Id)
  180. {
  181. case PROPERTY_RADIUSPROXY_SERVERGROUPS:
  182. {
  183. if (V_VT(pValue) != VT_DISPATCH) { return DISP_E_TYPEMISMATCH; }
  185. try
  186. {
  187. configure(V_UNKNOWN(pValue));
  188. hr = S_OK;
  189. }
  190. catch (const _com_error& ce)
  191. {
  192. hr = ce.Error();
  193. }
  194. break;
  195. }
  196. default:
  197. {
  198. hr = DISP_E_MEMBERNOTFOUND;
  199. }
  200. }
  202. return hr;
  203. }
  205. void RadiusProxy::onEvent(
  206. const RadiusEvent& event
  207. ) throw ()
  208. {
  209. // Convert the event context to an IASRemoteServer.
  210. IASRemoteServer* server = static_cast<IASRemoteServer*>(event.context);
  212. // Update the counters.
  213. counters.updateCounters(
  214. event.portType,
  215. event.eventType,
  216. (server ? server->counters : NULL),
  217. event.data
  218. );
  220. // We always use the address as an insertion string.
  221. WCHAR addr[16], misc[16];
  222. ias_inet_htow(ntohl(event.ipAddress), addr);
  224. // Set up the default parameters for event reporting.
  225. DWORD eventID = 0;
  226. DWORD numStrings = 1;
  227. DWORD dataSize = 0;
  228. PCWSTR strings[2] = { addr, misc };
  229. const void* rawData = NULL;
  231. // Map the RADIUS event to an IAS event ID.
  232. switch (event.eventType)
  233. {
  234. case eventInvalidAddress:
  235. eventID = PROXY_E_INVALID_ADDRESS;
  236. _itow(ntohs(event.ipPort), misc, 10);
  237. numStrings = 2;
  238. break;
  240. case eventMalformedPacket:
  241. eventID = PROXY_E_MALFORMED_RESPONSE;
  242. dataSize = event.packetLength;
  243. rawData = event.packet;
  244. break;
  246. case eventBadAuthenticator:
  247. eventID = PROXY_E_BAD_AUTHENTICATOR;
  248. break;
  250. case eventBadSignature:
  251. eventID = PROXY_E_BAD_SIGNATURE;
  252. break;
  254. case eventMissingSignature:
  255. eventID = PROXY_E_MISSING_SIGNATURE;
  256. break;
  258. case eventUnknownType:
  259. eventID = PROXY_E_UNKNOWN_TYPE;
  260. _itow(event.packet[0], misc, 10);
  261. numStrings = 2;
  262. break;
  264. case eventUnexpectedResponse:
  265. eventID = PROXY_E_UNEXPECTED_RESPONSE;
  266. dataSize = event.packetLength;
  267. rawData = event.packet;
  268. break;
  270. case eventSendError:
  271. eventID = PROXY_E_SEND_ERROR;
  272. _itow(event.data, misc, 10);
  273. numStrings = 2;
  274. break;
  276. case eventReceiveError:
  277. eventID = PROXY_E_RECV_ERROR;
  278. _itow(event.data, misc, 10);
  279. numStrings = 2;
  280. break;
  282. case eventServerAvailable:
  283. eventID = PROXY_S_SERVER_AVAILABLE;
  284. break;
  286. case eventServerUnavailable:
  287. eventID = PROXY_E_SERVER_UNAVAILABLE;
  288. _itow(server->maxLost, misc, 10);
  289. numStrings = 2;
  290. break;
  291. }
  293. if (eventID)
  294. {
  295. IASReportEvent(
  296. eventID,
  297. numStrings,
  298. dataSize,
  299. strings,
  300. (void*)rawData
  301. );
  302. }
  303. }
  305. void RadiusProxy::onComplete(
  306. RadiusProxyEngine::Result result,
  307. PVOID context,
  308. RemoteServer* server,
  309. BYTE code,
  310. const RadiusAttribute* begin,
  311. const RadiusAttribute* end
  312. ) throw ()
  313. {
  314. IRequest* comreq = (IRequest*)context;
  316. IASRESPONSE response = IAS_RESPONSE_DISCARD_PACKET;
  318. // Map the result to a reason code.
  319. IASREASON reason;
  320. switch (result)
  321. {
  322. case RadiusProxyEngine::resultSuccess:
  323. reason = IAS_SUCCESS;
  324. break;
  326. case RadiusProxyEngine::resultNotEnoughMemory:
  327. reason = IAS_INTERNAL_ERROR;
  328. break;
  330. case RadiusProxyEngine::resultUnknownServerGroup:
  331. reason = IAS_PROXY_UNKNOWN_GROUP;
  332. break;
  334. case RadiusProxyEngine::resultUnknownServer:
  335. reason = IAS_PROXY_UNKNOWN_SERVER;
  336. break;
  338. case RadiusProxyEngine::resultInvalidRequest:
  339. reason = IAS_PROXY_PACKET_TOO_LONG;
  340. break;
  342. case RadiusProxyEngine::resultSendError:
  343. reason = IAS_PROXY_SEND_ERROR;
  344. break;
  346. case RadiusProxyEngine::resultRequestTimeout:
  347. reason = IAS_PROXY_TIMEOUT;
  348. break;
  350. default:
  351. reason = IAS_INTERNAL_ERROR;
  352. }
  354. try
  355. {
  356. IASRequest request(comreq);
  358. // Always store the server attributes if available.
  359. if (server)
  360. {
  361. static_cast<IASRemoteServer*>(server)->attrs.store(request);
  362. }
  364. if (reason == IAS_SUCCESS)
  365. {
  366. // Set the response code and determine the flags used for returned
  367. // attributes.
  368. DWORD flags = 0;
  369. switch (code)
  370. {
  371. case RADIUS_ACCESS_ACCEPT:
  372. {
  373. response = IAS_RESPONSE_ACCESS_ACCEPT;
  374. flags = IAS_INCLUDE_IN_ACCEPT;
  375. break;
  376. }
  378. case RADIUS_ACCESS_REJECT:
  379. {
  380. response = IAS_RESPONSE_ACCESS_REJECT;
  381. reason = IAS_PROXY_REJECT;
  382. flags = IAS_INCLUDE_IN_REJECT;
  383. break;
  384. }
  386. case RADIUS_ACCESS_CHALLENGE:
  387. {
  388. response = IAS_RESPONSE_ACCESS_CHALLENGE;
  389. flags = IAS_INCLUDE_IN_CHALLENGE;
  390. break;
  391. }
  393. case RADIUS_ACCOUNTING_RESPONSE:
  394. {
  395. response = IAS_RESPONSE_ACCOUNTING;
  396. flags = IAS_INCLUDE_IN_ACCEPT;
  397. break;
  398. }
  400. default:
  401. {
  402. // The RadiusProxyEngine should never do this.
  403. _com_issue_error(E_FAIL);
  404. }
  405. }
  407. // Convert the received attributes to IAS format.
  408. AttributeVector incoming;
  409. for (const RadiusAttribute* src = begin; src != end; ++src)
  410. {
  411. // Temporary hack to workaround bug in the protocol.
  412. if (src->type != RADIUS_SIGNATURE)
  413. {
  414. translator.fromRadius(*src, flags, incoming);
  415. }
  416. }
  418. if (!incoming.empty())
  419. {
  420. // Get the existing attributes.
  421. AttributeVector existing;
  422. existing.load(request);
  424. // Erase any attributes that are already in the request.
  425. AttributeIterator i, j;
  426. for (i = existing.begin(); i != existing.end(); ++i)
  427. {
  428. // Both the flags ...
  429. if (i->pAttribute->dwFlags & flags)
  430. {
  431. for (j = incoming.begin(); j != incoming.end(); )
  432. {
  433. // ... and the ID have to match.
  434. if (j->pAttribute->dwId == i->pAttribute->dwId)
  435. {
  436. j = incoming.erase(j);
  437. }
  438. else
  439. {
  440. ++j;
  441. }
  442. }
  443. }
  444. }
  446. // Store the remaining attributes.
  447. incoming.store(request);
  448. }
  449. }
  450. }
  451. catch (const _com_error& ce)
  452. {
  453. response = IAS_RESPONSE_DISCARD_PACKET;
  455. if (ce.Error() == E_INVALIDARG)
  456. {
  457. // We must have had an error translating from RADIUS to IAS format.
  458. reason = IAS_PROXY_MALFORMED_RESPONSE;
  459. }
  460. else
  461. {
  462. // Probably memory allocation.
  463. reason = IAS_INTERNAL_ERROR;
  464. }
  465. }
  467. // Give it back to the pipeline.
  468. comreq->SetResponse(response, reason);
  469. comreq->ReturnToSource(IAS_REQUEST_STATUS_HANDLED);
  471. // This balances the AddRef we did before calling forwardRequest.
  472. comreq->Release();
  473. }
  475. void RadiusProxy::onAsyncRequest(IRequest* pRequest) throw ()
  476. {
  477. try
  478. {
  479. IASRequest request(pRequest);
  481. // Set the packet code based on the request type.
  482. BYTE packetCode;
  483. switch (request.get_Request())
  484. {
  485. case IAS_REQUEST_ACCESS_REQUEST:
  486. {
  487. packetCode = RADIUS_ACCESS_REQUEST;
  488. break;
  489. }
  491. case IAS_REQUEST_ACCOUNTING:
  492. {
  493. packetCode = RADIUS_ACCOUNTING_REQUEST;
  494. break;
  495. }
  497. default:
  498. {
  499. // The pipeline should never give us a request of the wrong type.
  500. _com_issue_error(E_FAIL);
  501. }
  502. }
  504. // Get the attributes from the request.
  505. AttributeVector all, outgoing;
  506. all.load(request);
  508. for (AttributeIterator i = all.begin(); i != all.end(); ++i)
  509. {
  510. // Send all the attributes received from the client except Proxy-State.
  511. if (i->pAttribute->dwFlags & IAS_RECVD_FROM_CLIENT &&
  512. i->pAttribute->dwId != RADIUS_ATTRIBUTE_PROXY_STATE)
  513. {
  514. translator.toRadius(*(i->pAttribute), outgoing);
  515. }
  516. }
  519. // If the request authenticator contains the CHAP challenge:
  520. // it must be used so get the request authenticator (always to
  521. // simplify the code)
  522. PBYTE requestAuthenticator = 0;
  523. IASAttribute radiusHeader;
  525. if (radiusHeader.load(
  526. request,
  527. IAS_ATTRIBUTE_CLIENT_PACKET_HEADER,
  528. IASTYPE_OCTET_STRING
  529. ))
  530. {
  531. requestAuthenticator = radiusHeader->Value.OctetString.lpValue + 4;
  532. }
  534. // Allocate an array of RadiusAttributes.
  535. size_t nbyte = outgoing.size() * sizeof(RadiusAttribute);
  536. RadiusAttribute* begin = (RadiusAttribute*)_alloca(nbyte);
  537. RadiusAttribute* end = begin;
  539. // Load the individual attributes.
  540. for (AttributeIterator j = outgoing.begin(); j != outgoing.end(); ++j)
  541. {
  542. end->type = (BYTE)(j->pAttribute->dwId);
  543. end->length = (BYTE)(j->pAttribute->Value.OctetString.dwLength);
  544. end->value = j->pAttribute->Value.OctetString.lpValue;
  546. ++end;
  547. }
  549. // Get the RADIUS Server group. This may be NULL since NAS-State bypasses
  550. // proxy policy.
  551. PIASATTRIBUTE group = IASPeekAttribute(
  552. request,
  553. IAS_ATTRIBUTE_PROVIDER_NAME,
  554. IASTYPE_STRING
  555. );
  557. // AddRef the request because we're giving it to the engine.
  558. pRequest->AddRef();
  560. // Add the request authenticator to the parameters of forwardRequest
  561. // That can be NULL
  562. engine.forwardRequest(
  563. (PVOID)pRequest,
  564. (group ? group->Value.String.pszWide : L""),
  565. packetCode,
  566. requestAuthenticator,
  567. begin,
  568. end
  569. );
  570. }
  571. catch (...)
  572. {
  573. // We weren't able to forward it to the engine.
  574. pRequest->SetResponse(IAS_RESPONSE_DISCARD_PACKET, IAS_INTERNAL_ERROR);
  575. pRequest->ReturnToSource(IAS_REQUEST_STATUS_HANDLED);
  576. }
  577. }
  579. void RadiusProxy::configure(IUnknown* root)
  580. {
  581. // Get our IP addresses. We don't care if this fails.
  582. Resolver localAddress, serverAddress;
  583. localAddress.resolve();
  585. // Open the RADIUS Server Groups container. If it's not there, we'll just
  586. // assume there's nothing to configure.
  587. DataStoreObject inGroups(
  588. root,
  589. L"RADIUS Server Groups\0"
  590. );
  591. if (inGroups.empty()) { return; }
  593. // Reserve space for each group.
  594. ServerGroups outGroups(inGroups.numChildren());
  596. // Iterate through the groups.
  597. DataStoreObject inGroup;
  598. while (inGroups.nextChild(inGroup))
  599. {
  600. // Get the group name.
  601. CComBSTR groupName;
  602. inGroup.getValue(L"Name", &groupName);
  604. // Reserve space for each server. This is really a guess since a server
  605. // may resolve to multiple IP addresses.
  606. RemoteServers outServers(inGroup.numChildren());
  608. // Iterate through the servers.
  609. DataStoreObject inServer;
  610. while (inGroup.nextChild(inServer))
  611. {
  612. USES_CONVERSION;
  614. // Populate the RemoteServerConfig. It has a lot of fields.
  615. RemoteServerConfig config;
  617. CComBSTR name;
  618. inServer.getValue(L"Name", &name);
  619. CLSIDFromString(name, &config.guid);
  621. ULONG port;
  622. inServer.getValue(L"Server Authentication Port", &port, 1812);
  623. config.authPort = htons((USHORT)port);
  625. inServer.getValue(L"Server Accounting Port", &port, 1813);
  626. config.acctPort = htons((USHORT)port);
  628. CComBSTR bstrAuth;
  629. inServer.getValue(L"Authentication Secret", &bstrAuth);
  630. config.authSecret = W2A(bstrAuth);
  632. CComBSTR bstrAcct;
  633. inServer.getValue(L"Accounting Secret", &bstrAcct, bstrAuth);
  634. config.acctSecret = W2A(bstrAcct);
  636. inServer.getValue(L"Priority", &config.priority, 1);
  638. inServer.getValue(L"Weight", &config.weight, 50);
  639. // Ignore any zero weight servers.
  640. if (config.weight == 0) { continue; }
  642. // We don't use this feature for now.
  643. config.sendSignature = false;
  645. inServer.getValue(
  646. L"Forward Accounting On/Off",
  647. &config.sendAcctOnOff,
  648. true
  649. );
  651. inServer.getValue(L"Request Timeout", &config.timeout, 3);
  652. // Don't allow zero for timeout
  653. if (config.timeout == 0) { config.timeout = 1; }
  655. inServer.getValue(L"Max Lost Requests", &config.maxLost, 5);
  656. // Don't allow zero for maxLost.
  657. if (config.maxLost == 0) { config.maxLost = 1; }
  659. inServer.getValue(
  660. L"Blackout Interval",
  661. &config.blackout,
  662. 10 * config.timeout
  663. );
  664. if (config.blackout < config.timeout)
  665. {
  666. // Blackout interval must be >= request timeout.
  667. config.blackout = config.timeout;
  668. }
  670. // These need to be in msec.
  671. config.timeout *= 1000;
  672. config.blackout *= 1000;
  674. // Now we have to resolve the server name to an IP address.
  675. CComBSTR address;
  676. inServer.getValue(L"Address", &address);
  677. ULONG error = serverAddress.resolve(address);
  678. if (error)
  679. {
  680. WCHAR errorCode[16];
  681. _itow(GetLastError(), errorCode, 10);
  682. PCWSTR strings[3] = { address, groupName, errorCode };
  683. IASReportEvent(
  684. PROXY_E_HOST_NOT_FOUND,
  685. 3,
  686. 0,
  687. strings,
  688. NULL
  689. );
  690. }
  692. // Create a server entry for each address.
  693. for (const ULONG* addr = serverAddress.begin();
  694. addr != serverAddress.end();
  695. ++addr)
  696. {
  697. // Don't allow them to proxy locally.
  698. if (localAddress.contains(*addr))
  699. {
  700. WCHAR ipAddress[16];
  701. ias_inet_htow(ntohl(*addr), ipAddress);
  702. PCWSTR strings[3] = { address, groupName, ipAddress };
  703. IASReportEvent(
  704. PROXY_E_LOCAL_SERVER,
  705. 3,
  706. 0,
  707. strings,
  708. NULL
  709. );
  711. continue;
  712. }
  714. // Look up the PerfMon counters.
  715. RadiusRemoteServerEntry* entry = counters.getRemoteServerEntry(
  716. *addr
  717. );
  719. // Create the new server
  720. config.ipAddress = *addr;
  721. RemoteServerPtr outServer(new IASRemoteServer(
  722. config,
  723. entry
  724. ));
  725. outServers.push_back(outServer);
  726. }
  727. }
  729. // Ignore any empty groups.
  730. if (outServers.empty()) { continue; }
  732. // Create the new group.
  733. ServerGroupPtr outGroup(new ServerGroup(
  734. groupName,
  735. outServers.begin(),
  736. outServers.end()
  737. ));
  738. outGroups.push_back(outGroup);
  739. }
  741. // Wow, we're finally done.
  742. engine.setServerGroups(
  743. outGroups.begin(),
  744. outGroups.end()
  745. );
  746. }