archive
/
windows-xp
mirror of https://github.com/tongzx/nt5src
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
6 Commits
1 Branch
0 Tags
2.0 GiB
Tree: daad8a087a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'daad8a087a'
${ noResults }
windows-xp/Source/XPSP1/NT/net/tcpip/services/telnet/client/security.c

471 lines
13 KiB
Raw Normal View History

Add source files
4 years ago
  1. //Copyright (c) Microsoft Corporation. All rights reserved.
  2. /*
  3. security.cpp
  4. */
  6. #include <windows.h> /* required for all Windows applications */
  7. #include <stdlib.h>
  8. #include <stdio.h>
  9. #include <stddef.h>
  10. #define SECURITY_WIN32
  11. #include <sspi.h>
  12. #include <rpc.h>
  13. #include <rpcdce.h>
  15. #include "debug.h"
  16. #include "wintel.h"
  17. #include "telnet.h"
  18. #include "commands.h"
  20. static CredHandle hCredential = { 0, 0 };
  21. static CtxtHandle hContext = { 0, 0 };
  22. static PSecPkgInfo pspi;
  24. #define DEFAULT_BUFFER_SIZE 4096
  26. BOOL StuffEscapeIACs( PUCHAR* ppBufDest, UCHAR bufSrc[], DWORD* pdwSize );
  28. void NTLMCleanup()
  29. {
  30. FreeCredentialsHandle(&hCredential);
  31. if(pspi)
  32. {
  33. FreeContextBuffer( pspi );
  34. pspi=NULL;
  35. }
  36. }
  39. BOOL StartNTLMAuth(WI *pwi)
  40. {
  41. unsigned char *sbuf = NULL;
  42. PUCHAR destBuf = NULL;
  43. DWORD dwSize = 0;
  44. BOOL bRetVal = FALSE;
  46. int inx;
  48. TimeStamp tsExpiry;
  49. SECURITY_STATUS secStatus;
  50. SecBufferDesc OutBuffDesc;
  51. SecBuffer OutSecBuff;
  52. ULONG fContextAttr;
  54. HANDLE hProc = NULL;
  55. HANDLE hAccessToken = NULL;
  56. TOKEN_INFORMATION_CLASS tic;
  57. DWORD dwSizeReqd;
  58. VOID* tokenData = NULL;
  59. SID_NAME_USE sidType;
  60. DWORD dwStrSize1 = MAX_PATH + 1;
  61. DWORD dwStrSize2 = MAX_PATH + 1;
  62. SEC_WINNT_AUTH_IDENTITY AuthIdentity;
  64. WCHAR szWideUser[ MAX_PATH + 1 ] ;
  65. WCHAR szWideDomain[ MAX_PATH + 1 ] ;
  67. OutSecBuff.pvBuffer = NULL;
  69. /*
  70. added code to get user name and domain so we can pass it
  71. AcquireCredentialsHandle(); this is to prevent optimization happening in NT
  72. for the case where client and server are on same machine, in which case the
  73. same user in different sessions gets the same Authentication Id thereby
  74. affecting our process clean up in telnet server
  75. */
  77. hProc = OpenProcess( PROCESS_ALL_ACCESS, FALSE,
  78. GetCurrentProcessId() );
  79. if( hProc == NULL )
  80. {
  81. goto End;
  82. }
  84. if( !OpenProcessToken( hProc, TOKEN_QUERY, &hAccessToken ))
  85. {
  86. CloseHandle( hProc );
  87. goto End;
  88. }
  90. //get user info
  91. tic = TokenUser;
  92. //find out how much memory is reqd.
  93. GetTokenInformation( hAccessToken, tic, NULL, 0, &dwSizeReqd );
  95. //allocate that memory
  96. tokenData = (TOKEN_USER*) malloc( dwSizeReqd );
  98. // and check if the allocation succeeded
  99. if (!tokenData) {
  100. CloseHandle( hProc );
  101. CloseHandle( hAccessToken );
  102. goto End;
  103. }
  105. //actually get the user info
  106. if( !GetTokenInformation( hAccessToken, tic, tokenData, dwSizeReqd,
  107. &dwSizeReqd ) )
  108. {
  109. CloseHandle( hProc );
  110. CloseHandle( hAccessToken );
  111. goto End;
  112. }
  114. CloseHandle( hProc );
  115. CloseHandle( hAccessToken );
  117. //convert user SID into a name and domain
  118. if( !LookupAccountSid( NULL, ((TOKEN_USER*) tokenData)->User.Sid,
  119. szWideUser, &dwStrSize1, szWideDomain, &dwStrSize2, &sidType ) )
  120. {
  121. goto End;
  122. }
  124. SfuZeroMemory( &AuthIdentity, sizeof(AuthIdentity) );
  126. if( szWideDomain != NULL )
  127. {
  128. AuthIdentity.Domain = szWideDomain;
  129. AuthIdentity.DomainLength = wcslen(szWideDomain) ;
  130. }
  132. if( szWideUser != NULL )
  133. {
  134. AuthIdentity.User = szWideUser;
  135. AuthIdentity.UserLength = wcslen(szWideUser) ;
  136. }
  138. /// leave password empty via SfuZeroMemory above
  139. /// if ( Password != NULL )
  140. /// {
  141. /// AuthIdentity.Password = Password;
  142. /// AuthIdentity.PasswordLength = lstrlen(Password);
  143. /// }
  145. AuthIdentity.Flags = SEC_WINNT_AUTH_IDENTITY_UNICODE;
  147. if ( SEC_E_OK != (secStatus = AcquireCredentialsHandle(
  148. NULL, // SEC_CHAR * pszPrincipal, // name of principal
  149. ( LPTSTR ) L"NTLM", //SEC_CHAR * pszPackage, // name of package
  150. SECPKG_CRED_OUTBOUND, //ULONG fCredentialUse, // flags indicating use
  151. NULL, // PLUID pvLogonID, // pointer to logon identifier
  152. (PVOID) &AuthIdentity, //PVOID pAuthData, // package-specific data
  153. NULL, //PVOID pGetKeyFn, // pointer to GetKey function
  154. NULL, //PVOID pvGetKeyArgument, // value to pass to GetKey
  155. &hCredential, // credential handle
  156. &tsExpiry)) // life time of the returned credentials);
  158. )
  159. {
  160. goto End;
  161. }
  164. secStatus = QuerySecurityPackageInfo(( LPTSTR ) L"NTLM", &pspi);
  166. if ( secStatus != SEC_E_OK || !pspi)
  167. {
  168. goto End;
  169. }
  171. //
  172. // Prepare our output buffer. We use a temporary buffer because
  173. // the real output buffer will most likely need to be uuencoded
  174. //
  176. OutBuffDesc.ulVersion = 0;
  177. OutBuffDesc.cBuffers = 1;
  178. OutBuffDesc.pBuffers = &OutSecBuff;
  180. OutSecBuff.cbBuffer = pspi->cbMaxToken;
  181. OutSecBuff.BufferType = SECBUFFER_TOKEN;
  182. OutSecBuff.pvBuffer = malloc(pspi->cbMaxToken);
  184. if( !OutSecBuff.pvBuffer ) {
  185. goto End;
  186. }
  188. // We will start using sbuf after the call to the below API
  189. // So allocate it here and bail out if allocation fails
  190. sbuf = (unsigned char*)malloc(DEFAULT_BUFFER_SIZE);
  191. if (!sbuf)
  192. {
  193. goto End;
  194. }
  196. secStatus = InitializeSecurityContext(
  197. &hCredential, // handle to the credentials
  198. NULL, // handle of partially formed context
  199. NULL, //SEC_CHAR * pszTargetName, // name of the target of the context
  200. ISC_REQ_REPLAY_DETECT, // required context attributes
  201. 0, //ULONG Reserved1, // reserved; must be zero
  202. SECURITY_NATIVE_DREP, //ULONG TargetDataRep, // data representation on the target
  203. NULL, //PSecBufferDesc pInput, // pointer to the input buffers
  204. 0, //ULONG Reserved2, // reserved; must be zero
  205. &hContext, // receives the new context handle
  206. &OutBuffDesc, // pointer to the output buffers
  207. &fContextAttr, // receives the context attributes
  208. &tsExpiry); // receives the life span of the security context);
  210. switch ( secStatus )
  211. {
  212. case SEC_I_CONTINUE_NEEDED:
  214. sbuf[0] = IAC;
  215. sbuf[1] = SB;
  216. sbuf[2] = TO_AUTH;
  217. sbuf[3] = AU_IS;
  218. sbuf[4] = AUTH_TYPE_NTLM;
  219. sbuf[5] = AUTH_CLIENT_TO_SERVER | AUTH_HOW_ONE_WAY;
  220. sbuf[6] = NTLM_AUTH;
  221. inx = 7;
  223. dwSize = sizeof(OutSecBuff) - sizeof(LPSTR);
  224. if( !StuffEscapeIACs( &destBuf, ( UCHAR *)&OutSecBuff, &dwSize ) )
  225. {
  226. //copy maximum 'n' bytes where 'n' is minimum of the available sbuf and size of data to copy.
  227. if(DEFAULT_BUFFER_SIZE > dwSize+inx+2) //for IAC SE
  228. {
  229. memcpy( sbuf+inx, (LPSTR)&OutSecBuff, sizeof(OutSecBuff) - sizeof(LPSTR));
  230. inx += sizeof(OutSecBuff) - sizeof(LPSTR);
  231. }
  232. }
  233. else
  234. {
  235. //copy maximum 'n' bytes where 'n' is minimum of the available sbuf and size of data to copy.
  236. if(DEFAULT_BUFFER_SIZE > dwSize+inx+2) //for IAC SE
  237. {
  238. memcpy( sbuf+inx, destBuf, dwSize);
  239. inx += dwSize;
  240. }
  241. }
  242. if(destBuf)
  243. {
  244. free( destBuf );
  245. destBuf = NULL;
  246. }
  248. dwSize = OutSecBuff.cbBuffer;
  249. if( !StuffEscapeIACs( &destBuf, OutSecBuff.pvBuffer, &dwSize ) )
  250. {
  251. if(DEFAULT_BUFFER_SIZE > OutSecBuff.cbBuffer+inx+2) //for IAC SE
  252. {
  253. memcpy( sbuf+inx, OutSecBuff.pvBuffer, OutSecBuff.cbBuffer); //no overflow. Check already present.
  254. inx += OutSecBuff.cbBuffer;
  255. }
  256. }
  257. else
  258. {
  259. if(DEFAULT_BUFFER_SIZE > dwSize+inx+2) //for IAC SE
  260. {
  261. memcpy( sbuf+inx, destBuf, dwSize );//no overflow. Check already present.
  262. inx += dwSize;
  263. }
  264. }
  265. if(destBuf)
  266. {
  267. free( destBuf );
  268. destBuf = NULL;
  269. }
  271. sbuf[inx++] = IAC;
  272. sbuf[inx++] = SE;
  274. FWriteToNet( pwi, ( char * )sbuf, inx );
  275. break;
  276. case SEC_I_COMPLETE_AND_CONTINUE:
  277. case SEC_I_COMPLETE_NEEDED:
  278. default:
  279. goto End;
  280. }
  282. pwi->eState = Authenticating;
  283. bRetVal = TRUE;
  284. End:
  285. if(tokenData)
  286. free( tokenData );
  287. if(OutSecBuff.pvBuffer)
  288. free(OutSecBuff.pvBuffer);
  289. if(sbuf)
  290. free(sbuf);
  291. return bRetVal;
  293. }
  296. BOOL DoNTLMAuth(WI *pwi, PUCHAR pBuffer, DWORD dwSize)
  297. {
  298. SECURITY_STATUS secStatus;
  299. SecBufferDesc InBuffDesc;
  300. SecBuffer InSecBuff;
  301. SecBuffer *pInSecBuff = NULL;
  302. SecBufferDesc OutBuffDesc;
  303. SecBuffer OutSecBuff;
  304. BOOL bStatus=FALSE;
  305. ULONG fContextAttr;
  306. TimeStamp tsExpiry;
  308. unsigned char *sbuf = NULL;
  309. PUCHAR destBuf = NULL;
  310. int inx;
  312. OutSecBuff.pvBuffer = NULL;
  314. pInSecBuff = (SecBuffer *)malloc(sizeof(SecBuffer));
  315. if( NULL == pInSecBuff )
  316. {
  317. goto Done;
  318. }
  320. // Copy the 1st two fields of SecBuffer from pBuffer to pInSecBuffer. Use memcpy because
  321. // pBuffer is not guaranteed to be an aligned pointer.
  322. // Use offsetof to copy whatever is there before pvBuffer.
  323. memcpy((PVOID)pInSecBuff, (PVOID)pBuffer, offsetof(SecBuffer, pvBuffer));//Attack ? Size not known.
  325. // now set pvBuffer to point into the pBuffer area.
  326. pInSecBuff->pvBuffer = (PVOID)(pBuffer+offsetof(SecBuffer,pvBuffer));
  328. if( dwSize<(sizeof(SecBuffer)) ||
  329. dwSize<(offsetof(SecBuffer,pvBuffer)+ pInSecBuff->cbBuffer) ||
  330. !pspi
  331. )
  332. {
  333. goto Done;
  334. }
  335. //
  336. // Prepare our Input buffer - Note the server is expecting the client's
  337. // negotiation packet on the first call
  338. //
  340. InBuffDesc.ulVersion = 0;
  341. InBuffDesc.cBuffers = 1;
  342. InBuffDesc.pBuffers = &InSecBuff;
  344. InSecBuff.cbBuffer = pInSecBuff->cbBuffer;
  345. InSecBuff.BufferType = pInSecBuff->BufferType;
  346. InSecBuff.pvBuffer = pInSecBuff->pvBuffer;
  348. //
  349. // Prepare our output buffer. We use a temporary buffer because
  350. // the real output buffer will most likely need to be uuencoded
  351. //
  353. OutBuffDesc.ulVersion = 0;
  354. OutBuffDesc.cBuffers = 1;
  355. OutBuffDesc.pBuffers = &OutSecBuff;
  357. OutSecBuff.cbBuffer = pspi->cbMaxToken;
  358. OutSecBuff.BufferType = SECBUFFER_TOKEN;
  359. OutSecBuff.pvBuffer = malloc(pspi->cbMaxToken);
  361. if( !OutSecBuff.pvBuffer ) {
  362. goto Done;
  363. }
  365. sbuf = (unsigned char*)malloc(DEFAULT_BUFFER_SIZE);
  366. if (!sbuf)
  367. {
  368. goto Done;
  369. }
  371. secStatus = InitializeSecurityContext(
  372. &hCredential, // handle to the credentials
  373. &hContext, // handle of partially formed context
  374. ( LPTSTR ) L"NTLM",//SEC_CHAR * pszTargetName, // name of the target of the context
  375. ISC_REQ_DELEGATE |
  376. ISC_REQ_REPLAY_DETECT, // required context attributes
  377. 0, //ULONG Reserved1, // reserved; must be zero
  378. SECURITY_NATIVE_DREP, //ULONG TargetDataRep, // data representation on the target
  379. &InBuffDesc, // pointer to the input buffers
  380. 0, //ULONG Reserved2, // reserved; must be zero
  381. &hContext, // receives the new context handle
  382. &OutBuffDesc, // pointer to the output buffers
  383. &fContextAttr, // receives the context attributes
  384. &tsExpiry); // receives the life span of the security context);
  386. switch ( secStatus ) {
  387. case SEC_E_OK:
  388. case SEC_I_CONTINUE_NEEDED:
  389. sbuf[0] = IAC;
  390. sbuf[1] = SB;
  391. sbuf[2] = TO_AUTH;
  392. sbuf[3] = AU_IS;
  393. sbuf[4] = AUTH_TYPE_NTLM;
  394. sbuf[5] = AUTH_CLIENT_TO_SERVER | AUTH_HOW_ONE_WAY;
  395. sbuf[6] = NTLM_RESPONSE;
  396. inx = 7;
  398. dwSize = sizeof(OutSecBuff) - sizeof(LPSTR);
  399. if( !StuffEscapeIACs( &destBuf, (UCHAR *)&OutSecBuff, &dwSize ) )
  400. {
  401. if(DEFAULT_BUFFER_SIZE > dwSize+inx+2) //for IAC SE
  402. {
  403. memcpy( sbuf+inx, (LPSTR)&OutSecBuff, sizeof(OutSecBuff) - sizeof(LPSTR) );//no overflow. Check already present.
  404. inx += sizeof(OutSecBuff) - sizeof(LPSTR);
  405. }
  406. }
  407. else
  408. {
  409. if(DEFAULT_BUFFER_SIZE > dwSize+inx+2) //for IAC SE
  410. {
  411. memcpy( sbuf+inx, destBuf, dwSize );//no overflow. Check already present.
  412. inx += dwSize;
  413. }
  414. }
  415. if(destBuf)
  416. {
  417. free( destBuf );
  418. destBuf = NULL;
  419. }
  420. dwSize = OutSecBuff.cbBuffer;
  421. if( !StuffEscapeIACs( &destBuf, OutSecBuff.pvBuffer, &dwSize ) )
  422. {
  423. if(DEFAULT_BUFFER_SIZE > OutSecBuff.cbBuffer+inx+2) //for IAC SE
  424. {
  425. memcpy( sbuf+inx, OutSecBuff.pvBuffer, OutSecBuff.cbBuffer);
  426. inx += OutSecBuff.cbBuffer;
  427. }
  428. }
  429. else
  430. {
  431. if(DEFAULT_BUFFER_SIZE > dwSize+inx+2) //for IAC SE
  432. {
  433. memcpy( sbuf+inx, destBuf, dwSize );
  434. inx += dwSize;
  435. }
  436. }
  437. if(destBuf)
  438. {
  439. free( destBuf );
  440. destBuf = NULL;
  441. }
  443. sbuf[inx++] = IAC;
  444. sbuf[inx++] = SE;
  446. FWriteToNet(pwi, ( char * )sbuf, inx);
  448. break;
  450. case SEC_I_COMPLETE_NEEDED:
  451. case SEC_I_COMPLETE_AND_CONTINUE:
  452. default:
  453. goto Done;
  454. }
  455. bStatus=TRUE;
  456. Done:
  457. if (sbuf)
  458. {
  459. free(sbuf);
  460. }
  461. if (pInSecBuff)
  462. {
  463. free(pInSecBuff);
  464. }
  465. if (OutSecBuff.pvBuffer)
  466. {
  467. free(OutSecBuff.pvBuffer);
  468. }
  469. pwi->eState=AuthChallengeRecvd;
  470. return(bStatus);
  471. }