|
|
///////////////////////////////////////////////////////////////////////////////
//
// Copyright (c) 1998, Microsoft Corp. All rights reserved.
//
// FILE
//
// subauth.c
//
// SYNOPSIS
//
// Declares the subauthentication and password change notification routines
// for MD5-CHAP.
//
// MODIFICATION HISTORY
//
// 09/01/1998 Original version.
// 11/02/1998 Handle change notifications on a separate thread.
// 11/03/1998 NewPassword may be NULL.
// 11/12/1998 Use private heap.
// Use CreateThread.
// 03/08/1999 Only store passwords for user accounts.
// 03/29/1999 Initialize out parameters to NULL when calling
// SamrQueryInformationUser.
//
///////////////////////////////////////////////////////////////////////////////
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h>
#include <ntlsa.h>
#include <windows.h>
#include <samrpc.h>
#include <samisrv.h>
#include <lsarpc.h>
#include <lsaisrv.h>
#include <lmcons.h>
#include <logonmsv.h>
#include <rasfmsub.h>
#include <cleartxt.h>
#include <md5.h>
#include <md5port.h>
#include <rassfmhp.h>
// Non-zero if the API is locked.
static LONG theLock;
//////////
// Macros to lock/unlock the API during intialization.
//////////
#define API_LOCK() \
while (InterlockedExchange(&theLock, 1)) Sleep(5)
#define API_UNLOCK() \
InterlockedExchange(&theLock, 0)
// Cached handle to the local account domain.
SAMPR_HANDLE theAccountDomain;
// TRUE if we have a handle to the local account domain.
static BOOL theConnectFlag;
//////////
// Macro that ensures we have a connection and bails on failure.
//////////
#define CHECK_CONNECT() \
if (!theConnectFlag) { \ status = ConnectToDomain(); \ if (!NT_SUCCESS(status)) { return status; } \ }
//////////
// Initializes the cached handle to the local account domain.
//////////
NTSTATUSNTAPIConnectToDomain( VOID ){ NTSTATUS status; PLSAPR_POLICY_INFORMATION policyInfo; SAMPR_HANDLE hServer;
API_LOCK();
// If we've already been initialized, there's nothing to do.
if (theConnectFlag) { status = STATUS_SUCCESS; goto exit; }
//////////
// Open a handle to the local account domain.
//////////
policyInfo = NULL; status = LsaIQueryInformationPolicyTrusted( PolicyAccountDomainInformation, &policyInfo ); if (!NT_SUCCESS(status)) { goto exit; }
status = SamIConnect( NULL, &hServer, 0, TRUE ); if (!NT_SUCCESS(status)) { goto free_info; }
status = SamrOpenDomain( hServer, 0, (PRPC_SID)policyInfo->PolicyAccountDomainInfo.DomainSid, &theAccountDomain );
// Did we succeed ?
if (NT_SUCCESS(status)) { theConnectFlag = TRUE; }
SamrCloseHandle(&hServer);
free_info: LsaIFree_LSAPR_POLICY_INFORMATION( PolicyAccountDomainInformation, policyInfo );
exit: API_UNLOCK(); return status;}
//////////
// Returns a SAM handle for the local account domain.
// This handle must not be closed.
//////////
NTSTATUSNTAPIGetDomainHandle( OUT SAMPR_HANDLE *DomainHandle ){ NTSTATUS status;
CHECK_CONNECT();
*DomainHandle = theAccountDomain; return STATUS_SUCCESS;}
//////////
// Returns a SAM handle for the given user.
// The caller is responsible for closing the returned handle.
//////////
NTSTATUSNTAPIGetUserHandle( IN PUNICODE_STRING UserName, OUT SAMPR_HANDLE *UserHandle ){ NTSTATUS status; SAMPR_ULONG_ARRAY RidArray; SAMPR_ULONG_ARRAY UseArray;
CHECK_CONNECT();
RidArray.Element = NULL; UseArray.Element = NULL;
status = SamrLookupNamesInDomain( theAccountDomain, 1, (PRPC_UNICODE_STRING)UserName, &RidArray, &UseArray ); if (!NT_SUCCESS(status)) { goto exit; }
if (UseArray.Element[0] != SidTypeUser) { status = STATUS_NONE_MAPPED; goto free_arrays; }
status = SamrOpenUser( theAccountDomain, 0, RidArray.Element[0], UserHandle );
free_arrays: SamIFree_SAMPR_ULONG_ARRAY( &UseArray ); SamIFree_SAMPR_ULONG_ARRAY( &RidArray );
exit: return status;}
/////////
// Process an MD5-CHAP authentication.
/////////
NTSTATUSNTAPIProcessMD5ChapAuthentication( IN SAM_HANDLE UserHandle, IN PUSER_ALL_INFORMATION UserAll, IN UCHAR ChallengeId, IN DWORD ChallengeLength, IN PUCHAR Challenge, IN PUCHAR Response ){ NTSTATUS status; UNICODE_STRING uniPwd; ANSI_STRING ansiPwd; MD5_CTX context;
/////////
// Retrieve the cleartext password.
/////////
status = RetrieveCleartextPassword( UserHandle, UserAll, &uniPwd ); if (status != STATUS_SUCCESS) { return status; }
//////////
// Convert the password to ANSI.
//////////
status = RtlUnicodeStringToAnsiString( &ansiPwd, &uniPwd, TRUE );
// We're through with the Unicode password.
RtlFreeUnicodeString(&uniPwd);
if (!NT_SUCCESS(status)) { return STATUS_WRONG_PASSWORD; }
//////////
// Compute the correct response.
//////////
MD5Init(&context); MD5Update(&context, &ChallengeId, 1); MD5Update(&context, (PBYTE)ansiPwd.Buffer, ansiPwd.Length); MD5Update(&context, Challenge, ChallengeLength); MD5Final(&context);
// We're through with the ANSI password.
RtlFreeAnsiString(&ansiPwd);
//////////
// Does the actual response match the correct response ?
//////////
if (memcmp(context.digest, Response, 16) == 0) { return STATUS_SUCCESS; }
return STATUS_WRONG_PASSWORD;}
NTSTATUSNTAPIMD5ChapSubAuthentication( IN SAM_HANDLE UserHandle, IN PUSER_ALL_INFORMATION UserAll, IN PRAS_SUBAUTH_INFO RasInfo ){ MD5CHAP_SUBAUTH_INFO* info = (MD5CHAP_SUBAUTH_INFO*)(RasInfo->Data); return ProcessMD5ChapAuthentication( UserHandle, UserAll, info->uchChallengeId, sizeof(info->uchChallenge), info->uchChallenge, info->uchResponse );}
NTSTATUSNTAPIMD5ChapExSubAuthentication( IN SAM_HANDLE UserHandle, IN PUSER_ALL_INFORMATION UserAll, IN PRAS_SUBAUTH_INFO RasInfo ){ MD5CHAP_EX_SUBAUTH_INFO* info = (MD5CHAP_EX_SUBAUTH_INFO*)(RasInfo->Data); DWORD challengeLength = RasInfo->DataSize - sizeof(MD5CHAP_EX_SUBAUTH_INFO) + 1; return ProcessMD5ChapAuthentication( UserHandle, UserAll, info->uchChallengeId, challengeLength, info->uchChallenge, info->uchResponse );}
//////////
// Entry point for the subauthentication DLL.
//////////
NTSTATUSNTAPIMsv1_0SubAuthenticationRoutine( IN NETLOGON_LOGON_INFO_CLASS LogonLevel, IN PVOID LogonInformation, IN ULONG Flags, IN PUSER_ALL_INFORMATION UserAll, OUT PULONG WhichFields, OUT PULONG UserFlags, OUT PBOOLEAN Authoritative, OUT PLARGE_INTEGER LogoffTime, OUT PLARGE_INTEGER KickoffTime ){ NTSTATUS status; LARGE_INTEGER logonTime; PNETLOGON_NETWORK_INFO logonInfo; PRAS_SUBAUTH_INFO rasInfo; MD5CHAP_SUBAUTH_INFO *chapInfo; PWSTR password; UNICODE_STRING uniPassword; SAMPR_HANDLE hUser;
/////////
// Initialize the out parameters.
/////////
*WhichFields = 0; *UserFlags = 0; *Authoritative = TRUE;
/////////
// Check some basic restrictions.
/////////
if (LogonLevel != NetlogonNetworkInformation) { return STATUS_INVALID_INFO_CLASS; }
if (UserAll->UserAccountControl & USER_ACCOUNT_DISABLED) { return STATUS_ACCOUNT_DISABLED; }
NtQuerySystemTime(&logonTime);
if (UserAll->AccountExpires.QuadPart != 0 && UserAll->AccountExpires.QuadPart <= logonTime.QuadPart) { return STATUS_ACCOUNT_EXPIRED; }
if (UserAll->PasswordMustChange.QuadPart <= logonTime.QuadPart) { return UserAll->PasswordLastSet.QuadPart ? STATUS_PASSWORD_EXPIRED : STATUS_PASSWORD_MUST_CHANGE; }
/////////
// Extract the MD5CHAP_SUBAUTH_INFO struct.
/////////
logonInfo = (PNETLOGON_NETWORK_INFO)LogonInformation; rasInfo = (PRAS_SUBAUTH_INFO)logonInfo->NtChallengeResponse.Buffer;
if (rasInfo == NULL || logonInfo->NtChallengeResponse.Length < sizeof(RAS_SUBAUTH_INFO) || rasInfo->ProtocolType != RAS_SUBAUTH_PROTO_MD5CHAP || rasInfo->DataSize != sizeof(MD5CHAP_SUBAUTH_INFO)) { return STATUS_INVALID_PARAMETER; }
chapInfo = (MD5CHAP_SUBAUTH_INFO*)rasInfo->Data;
/////////
// Open a handle to the user object.
/////////
status = GetUserHandle( &(logonInfo->Identity.UserName), &hUser ); if (status != NO_ERROR) { return status; }
/////////
// Verify the MD5-CHAP password.
/////////
status = ProcessMD5ChapAuthentication( hUser, UserAll, chapInfo->uchChallengeId, sizeof(chapInfo->uchChallenge), chapInfo->uchChallenge, chapInfo->uchResponse ); if (status != NO_ERROR) { goto close_user; }
/////////
// Check account restrictions.
/////////
status = SamIAccountRestrictions( hUser, NULL, NULL, &UserAll->LogonHours, LogoffTime, KickoffTime );
close_user: SamrCloseHandle(&hUser);
return status;}
/////////
// Info needed to process a change notification.
/////////
typedef struct _PWD_CHANGE_INFO { ULONG RelativeId; WCHAR NewPassword[1];} PWD_CHANGE_INFO, *PPWD_CHANGE_INFO;
/////////
// Start routine for notification worker thread.
/////////
DWORDWINAPIPasswordChangeNotifyWorker( IN PPWD_CHANGE_INFO ChangeInfo ){ NTSTATUS status; SAMPR_HANDLE hUser; PUSER_CONTROL_INFORMATION uci; ULONG accountControl; USER_PARAMETERS_INFORMATION *oldInfo, newInfo; BOOL cleartextAllowed; PWSTR oldUserParms, newUserParms;
//////////
// Ensure we're connected to the SAM domain.
//////////
if (!theConnectFlag) { status = ConnectToDomain(); if (!NT_SUCCESS(status)) { goto exit; } }
//////////
// Retrieve the UserParameters
//////////
status = SamrOpenUser( theAccountDomain, 0, ChangeInfo->RelativeId, &hUser ); if (!NT_SUCCESS(status)) { goto exit; }
uci = NULL; status = SamrQueryInformationUser( hUser, UserControlInformation, (PSAMPR_USER_INFO_BUFFER*)&uci ); if (!NT_SUCCESS(status)) { goto close_user; }
// Save the info ...
accountControl = uci->UserAccountControl;
// ... and free the buffer.
SamIFree_SAMPR_USER_INFO_BUFFER( (PSAMPR_USER_INFO_BUFFER)uci, UserControlInformation );
// We're only interested in normal accounts.
if (!(accountControl & USER_NORMAL_ACCOUNT)) { goto close_user; }
oldInfo = NULL; status = SamrQueryInformationUser( hUser, UserParametersInformation, (PSAMPR_USER_INFO_BUFFER*)&oldInfo ); if (!NT_SUCCESS(status)) { goto close_user; }
//////////
// Make a null-terminated copy.
//////////
oldUserParms = (PWSTR) RtlAllocateHeap( RasSfmHeap(), 0, oldInfo->Parameters.Length + sizeof(WCHAR) ); if (oldUserParms == NULL) { status = STATUS_NO_MEMORY; goto free_user_info; }
memcpy( oldUserParms, oldInfo->Parameters.Buffer, oldInfo->Parameters.Length );
oldUserParms[oldInfo->Parameters.Length / sizeof(WCHAR)] = L'\0';
//////////
// Should we store the cleartext password in UserParameters?
//////////
status = IsCleartextEnabled( hUser, &cleartextAllowed ); if (!NT_SUCCESS(status)) { goto free_user_parms; }
newUserParms = NULL;
if (cleartextAllowed) { // We either set the new password ...
status = IASParmsSetUserPassword( oldUserParms, ChangeInfo->NewPassword, &newUserParms ); } else { // ... or we erase the old one.
status = IASParmsClearUserPassword( oldUserParms, &newUserParms ); }
// Write the UserParameters back to SAM if necessary.
if (NT_SUCCESS(status) && newUserParms != NULL) { newInfo.Parameters.Length = (USHORT)(sizeof(WCHAR) * (lstrlenW(newUserParms) + 1)); newInfo.Parameters.MaximumLength = newInfo.Parameters.Length; newInfo.Parameters.Buffer = newUserParms;
status = SamrSetInformationUser( hUser, UserParametersInformation, (PSAMPR_USER_INFO_BUFFER)&newInfo );
IASParmsFreeUserParms(newUserParms); }
free_user_parms: RtlFreeHeap( RasSfmHeap(), 0, oldUserParms );
free_user_info: SamIFree_SAMPR_USER_INFO_BUFFER( (PSAMPR_USER_INFO_BUFFER)oldInfo, UserParametersInformation );
close_user: SamrCloseHandle(&hUser);
exit: RtlFreeHeap( RasSfmHeap(), 0, ChangeInfo );
return status;}
//////////
// Password change DLL entry point.
//////////
NTSTATUSNTAPIPasswordChangeNotify( IN PUNICODE_STRING UserName, IN ULONG RelativeId, IN PUNICODE_STRING NewPassword ){ ULONG length; PPWD_CHANGE_INFO info; HANDLE hWorker; DWORD threadId;
// Calculate the length of the new password.
length = NewPassword ? NewPassword->Length : 0;
// Allocate the PWD_CHANGE_INFO struct.
info = (PPWD_CHANGE_INFO) RtlAllocateHeap( RasSfmHeap(), 0, sizeof(PWD_CHANGE_INFO) + length ); if (info == NULL) { return STATUS_NO_MEMORY; }
// Save the RelativeId.
info->RelativeId = RelativeId;
// Save the NewPassword.
if (length) { memcpy(info->NewPassword, NewPassword->Buffer, length); }
// Make sure it's null-terminated.
info->NewPassword[length / sizeof(WCHAR)] = L'\0';
// Create a worker thread.
hWorker = CreateThread( NULL, 0, PasswordChangeNotifyWorker, info, 0, &threadId );
if (hWorker) { CloseHandle(hWorker);
return STATUS_SUCCESS; }
RtlFreeHeap( RasSfmHeap(), 0, info );
return STATUS_UNSUCCESSFUL;}
|
