/* Copyright (c) 1992 Microsoft Corporation Module Name: client.c Abstract: This module contains the client impersonation code. Author: Jameel Hyder (microsoft!jameelh) Revision History: 16 Jun 1992 Initial Version Notes: Tab stop: 4 --*/ #define FILENUM FILE_CLIENT #include #include #include #include #ifdef ALLOC_PRAGMA #pragma alloc_text( PAGE, AfpImpersonateClient) #pragma alloc_text( PAGE, AfpRevertBack) #pragma alloc_text( PAGE, AfpGetChallenge) #pragma alloc_text( PAGE, AfpLogonUser) #endif /*** AfpImpersonateClient * * Impersonates the remote client. The token representing the remote client * is available in the SDA. If the SDA is NULL (i.e. server context) then * impersonate the token that we have created for ourselves. */ VOID AfpImpersonateClient( IN PSDA pSda OPTIONAL ) { NTSTATUS Status = STATUS_SUCCESS; HANDLE Token; PAGED_CODE( ); if (pSda != NULL) { Token = pSda->sda_UserToken; } else Token = AfpFspToken; ASSERT(Token != NULL); Status = NtSetInformationThread(NtCurrentThread(), ThreadImpersonationToken, (PVOID)&Token, sizeof(Token)); ASSERT(NT_SUCCESS(Status)); } /*** AfpRevertBack * * Revert back to the default thread context. */ VOID AfpRevertBack( VOID ) { NTSTATUS Status = STATUS_SUCCESS; HANDLE Handle = NULL; PAGED_CODE( ); Status = NtSetInformationThread(NtCurrentThread(), ThreadImpersonationToken, (PVOID)&Handle, sizeof(Handle)); ASSERT(NT_SUCCESS(Status)); } /*** AfpGetChallenge * * Obtain a challenge token from the MSV1_0 package. This token is used by * AfpLogin call. * * The following function modified so that we generate the challenge ourselves * instead of making a call. This routine borrowed almost verbatim from * the LM server code. */ PBYTE AfpGetChallenge( IN VOID ) { PMSV1_0_LM20_CHALLENGE_REQUEST ChallengeRequest; PMSV1_0_LM20_CHALLENGE_RESPONSE ChallengeResponse; ULONG Length; PBYTE pRetBuf; NTSTATUS Status, StatusX; union { LARGE_INTEGER time; UCHAR bytes[8]; } u; ULONG seed; ULONG challenge[2]; ULONG result3; PAGED_CODE( ); ChallengeRequest = NULL; // // Create a pseudo-random 8-byte number by munging the system time // for use as a random number seed. // // Start by getting the system time. // ASSERT( MSV1_0_CHALLENGE_LENGTH == 2 * sizeof(ULONG) ); KeQuerySystemTime( &u.time ); // // To ensure that we don't use the same system time twice, add in the // count of the number of times this routine has been called. Then // increment the counter. // // *** Since we don't use the low byte of the system time (it doesn't // take on enough different values, because of the timer // resolution), we increment the counter by 0x100. // // *** We don't interlock the counter because we don't really care // if it's not 100% accurate. // u.time.LowPart += EncryptionKeyCount; EncryptionKeyCount += 0x100; // // Now use parts of the system time as a seed for the random // number generator. // // *** Because the middle two bytes of the low part of the system // time change most rapidly, we use those in forming the seed. // seed = ((u.bytes[1] + 1) << 0) | ((u.bytes[2] + 0) << 8) | ((u.bytes[2] - 1) << 16) | ((u.bytes[1] + 0) << 24); // // Now get two random numbers. RtlRandom does not return negative // numbers, so we pseudo-randomly negate them. // challenge[0] = RtlRandom( &seed ); challenge[1] = RtlRandom( &seed ); result3 = RtlRandom( &seed ); if ( (result3 & 0x1) != 0 ) { challenge[0] |= 0x80000000; } if ( (result3 & 0x2) != 0 ) { challenge[1] |= 0x80000000; } // Allocate a buffer to hold the challenge and copy it in if ((pRetBuf = AfpAllocNonPagedMemory(MSV1_0_CHALLENGE_LENGTH)) != NULL) { RtlCopyMemory(pRetBuf, challenge, MSV1_0_CHALLENGE_LENGTH); } return (pRetBuf); } /*** AfpLogonUser * * Attempt to login the user. The password is either encrypted or cleartext * based on the UAM used. The UserName and domain is extracted out of the Sda. * * LOCKS: AfpStatisticsLock (SPIN) */ AFPSTATUS AfpLogonUser( IN PSDA pSda, IN PANSI_STRING UserPasswd ) { NTSTATUS Status, SubStatus; PUNICODE_STRING WSName; ULONG ulUnused; ULONG NtlmInTokenSize; PNTLM_AUTHENTICATE_MESSAGE NtlmInToken = NULL; PAUTHENTICATE_MESSAGE InToken = NULL; ULONG InTokenSize; PNTLM_ACCEPT_RESPONSE OutToken = NULL; ULONG OutTokenSize; SIZE_T AllocateSize; SecBufferDesc InputToken; SecBuffer InputBuffers[2]; SecBufferDesc OutputToken; SecBuffer OutputBuffer; CtxtHandle hNewContext; TimeStamp Expiry; ULONG BufferOffset; PCHAR pTmp; PRAS_SUBAUTH_INFO pRasSubAuthInfo; PARAP_SUBAUTH_REQ pSfmSubAuthInfo; PARAP_SUBAUTH_RESP pSfmResp; DWORD ResponseHigh; DWORD ResponseLow; DWORD dwTmpLen; PAGED_CODE( ); ASSERT(KeGetCurrentIrql() < DISPATCH_LEVEL); #ifdef OPTIMIZE_GUEST_LOGONS // 11/28/94 SueA: Now that there is a License Service to track the number // of sessions via LsaLogonUser, we can no longer fake the guest tokens. // Optimization for subsequent guest logons // After the first guest logon, we save the token and do not free it till the // server stops. All subsequent guest logons 'share' that token. if (pSda->sda_ClientType == SDA_CLIENT_GUEST) { AfpSwmrAcquireExclusive(&AfpEtcMapLock); if (AfpGuestToken != NULL) { pSda->sda_UserToken = AfpGuestToken; pSda->sda_UserSid = &AfpSidWorld; pSda->sda_GroupSid = &AfpSidWorld; // Primary group of Guest is also 'World' #ifdef INHERIT_DIRECTORY_PERMS pSda->sda_UID = AfpIdWorld; pSda->sda_GID = AfpIdWorld; #else ASSERT (AfpGuestSecDesc != NULL); pSda->sda_pSecDesc = AfpGuestSecDesc; #endif AfpSwmrRelease(&AfpEtcMapLock); return AFP_ERR_NONE; } else { AfpSwmrRelease(&AfpEtcMapLock); } } #endif // OPTIMIZE_GUEST_LOGONS WSName = &AfpDefaultWksta; if (pSda->sda_WSName.Length != 0) WSName = &pSda->sda_WSName; // // Figure out how big a buffer we need. We put all the messages // in one buffer for efficiency's sake. // NtlmInTokenSize = sizeof(NTLM_AUTHENTICATE_MESSAGE); // alignment needs to be correct based on 32/64 bit addressing!!! NtlmInTokenSize = (NtlmInTokenSize + 7) & 0xfffffff8; InTokenSize = sizeof(AUTHENTICATE_MESSAGE) + pSda->sda_UserName.Length + WSName->Length + (sizeof(RAS_SUBAUTH_INFO) + sizeof(ARAP_SUBAUTH_REQ)) + pSda->sda_DomainName.Length + UserPasswd->Length + 24; // extra for byte aligning InTokenSize = (InTokenSize + 7) & 0xfffffff8; OutTokenSize = sizeof(NTLM_ACCEPT_RESPONSE); OutTokenSize = (OutTokenSize + 7) & 0xfffffff8; // // Round this up to 8 byte boundary becaus the out token needs to be // quad word aligned for the LARGE_INTEGER. // AllocateSize = ((NtlmInTokenSize + InTokenSize + 7) & 0xfffffff8) + OutTokenSize; Status = NtAllocateVirtualMemory(NtCurrentProcess(), &InToken, 0L, &AllocateSize, MEM_COMMIT, PAGE_READWRITE); if (!NT_SUCCESS(Status)) { AFPLOG_ERROR(AFPSRVMSG_PAGED_POOL, Status, &AllocateSize,sizeof(AllocateSize), NULL); #if DBG DbgBreakPoint(); #endif return(AFP_ERR_MISC); } NtlmInToken = (PNTLM_AUTHENTICATE_MESSAGE) ((PUCHAR) InToken + InTokenSize); OutToken = (PNTLM_ACCEPT_RESPONSE) ((PUCHAR)NtlmInToken + ((NtlmInTokenSize + 7) & 0xfffffff8)); RtlZeroMemory(InToken, InTokenSize + NtlmInTokenSize); // // set up the NtlmInToken first // if (pSda->sda_Challenge) { RtlCopyMemory(NtlmInToken->ChallengeToClient, pSda->sda_Challenge, MSV1_0_CHALLENGE_LENGTH ); } if ((pSda->sda_ClientType == SDA_CLIENT_RANDNUM) || (pSda->sda_ClientType == SDA_CLIENT_TWOWAY)) { NtlmInToken->ParameterControl = (MSV1_0_SUBAUTHENTICATION_DLL_RAS << 24); } else { NtlmInToken->ParameterControl = 0; } // // Okay, now for the tought part - marshalling the AUTHENTICATE_MESSAGE // RtlCopyMemory(InToken->Signature, NTLMSSP_SIGNATURE, sizeof(NTLMSSP_SIGNATURE) ); InToken->MessageType = NtLmAuthenticate; BufferOffset = sizeof(AUTHENTICATE_MESSAGE); // // LM password - case insensitive // pTmp = (PBYTE)InToken + BufferOffset; *(LPWSTR)pTmp = L'\0'; InToken->LmChallengeResponse.Buffer = BufferOffset; InToken->LmChallengeResponse.Length = 1; InToken->LmChallengeResponse.MaximumLength = sizeof(WCHAR); InToken->NtChallengeResponse.Buffer = BufferOffset; InToken->NtChallengeResponse.Length = 0; InToken->NtChallengeResponse.MaximumLength = sizeof(WCHAR); InToken->DomainName.Buffer = BufferOffset; InToken->DomainName.Length = 0; InToken->DomainName.MaximumLength = sizeof(WCHAR); InToken->Workstation.Buffer = BufferOffset; InToken->Workstation.Length = 0; InToken->Workstation.MaximumLength = sizeof(WCHAR); InToken->UserName.Buffer = BufferOffset; InToken->UserName.Length = 0; InToken->UserName.MaximumLength = sizeof(WCHAR); if (pSda->sda_UserName.Length != 0) { if (pSda->sda_DomainName.Length != 0) { InToken->DomainName.Length = pSda->sda_DomainName.Length; InToken->DomainName.MaximumLength = pSda->sda_DomainName.MaximumLength; InToken->DomainName.Buffer = BufferOffset; RtlCopyMemory((PBYTE)InToken + BufferOffset, (PBYTE)pSda->sda_DomainName.Buffer, pSda->sda_DomainName.Length); BufferOffset += pSda->sda_DomainName.Length; BufferOffset = (BufferOffset + 3) & 0xfffffffc; // dword align it } InToken->LmChallengeResponse.Buffer = BufferOffset; // // is he using native Apple UAM? setup buffers differently! // if ((pSda->sda_ClientType == SDA_CLIENT_RANDNUM) || (pSda->sda_ClientType == SDA_CLIENT_TWOWAY)) { pRasSubAuthInfo = (PRAS_SUBAUTH_INFO)((PBYTE)InToken + BufferOffset); pRasSubAuthInfo->ProtocolType = RAS_SUBAUTH_PROTO_ARAP; pRasSubAuthInfo->DataSize = sizeof(ARAP_SUBAUTH_REQ); pSfmSubAuthInfo = (PARAP_SUBAUTH_REQ)&pRasSubAuthInfo->Data[0]; if (pSda->sda_ClientType == SDA_CLIENT_RANDNUM) { pSfmSubAuthInfo->PacketType = SFM_SUBAUTH_LOGON_PKT; } else { pSfmSubAuthInfo->PacketType = SFM_2WAY_SUBAUTH_LOGON_PKT; } pSfmSubAuthInfo->Logon.fGuestLogon = FALSE; ASSERT(pSda->sda_Challenge != NULL); // put the 2 dwords of challenge that we gave the Mac pTmp = pSda->sda_Challenge; GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.NTChallenge1,pTmp); pTmp += sizeof(DWORD); GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.NTChallenge2,pTmp); // put the 2 dwords of response that the Mac gave us pTmp = UserPasswd->Buffer; GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacResponse1,pTmp); pTmp += sizeof(DWORD); GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacResponse2,pTmp); // 2-way guy sends his own challenge: doesn't trust us! if (pSda->sda_ClientType == SDA_CLIENT_TWOWAY) { pTmp += sizeof(DWORD); GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacChallenge1,pTmp); pTmp += sizeof(DWORD); GETDWORD2DWORD_NOCONV((PBYTE)&pSfmSubAuthInfo->Logon.MacChallenge2,pTmp); } dwTmpLen = (sizeof(RAS_SUBAUTH_INFO) + sizeof(ARAP_SUBAUTH_REQ)); InToken->LmChallengeResponse.Length = (USHORT)dwTmpLen; InToken->LmChallengeResponse.MaximumLength = (USHORT)dwTmpLen; BufferOffset += dwTmpLen; } // // this client is using MS-UAM or Apple's cleartext // else { InToken->LmChallengeResponse.Length = UserPasswd->Length; InToken->LmChallengeResponse.MaximumLength = UserPasswd->MaximumLength; RtlCopyMemory( (PBYTE)InToken + BufferOffset, UserPasswd->Buffer, UserPasswd->Length ); BufferOffset += UserPasswd->Length; } BufferOffset = (BufferOffset + 3) & 0xfffffffc; // dword align it // // Workstation Name // InToken->Workstation.Buffer = BufferOffset; InToken->Workstation.Length = WSName->Length; InToken->Workstation.MaximumLength = WSName->MaximumLength; RtlCopyMemory((PBYTE)InToken + BufferOffset, WSName->Buffer, WSName->Length); BufferOffset += WSName->Length; BufferOffset = (BufferOffset + 3) & 0xfffffffc; // dword align it // // User Name // InToken->UserName.Buffer = BufferOffset; InToken->UserName.Length = pSda->sda_UserName.Length; InToken->UserName.MaximumLength = pSda->sda_UserName.MaximumLength; RtlCopyMemory((PBYTE)InToken + BufferOffset, pSda->sda_UserName.Buffer, pSda->sda_UserName.Length); BufferOffset += pSda->sda_UserName.Length; } InputToken.pBuffers = InputBuffers; InputToken.cBuffers = 2; InputToken.ulVersion = 0; InputBuffers[0].pvBuffer = InToken; InputBuffers[0].cbBuffer = InTokenSize; InputBuffers[0].BufferType = SECBUFFER_TOKEN; InputBuffers[1].pvBuffer = NtlmInToken; InputBuffers[1].cbBuffer = NtlmInTokenSize; InputBuffers[1].BufferType = SECBUFFER_TOKEN; OutputToken.pBuffers = &OutputBuffer; OutputToken.cBuffers = 1; OutputToken.ulVersion = 0; OutputBuffer.pvBuffer = OutToken; OutputBuffer.cbBuffer = OutTokenSize; OutputBuffer.BufferType = SECBUFFER_TOKEN; Status = AcceptSecurityContext(&AfpSecHandle, NULL, &InputToken, ASC_REQ_LICENSING, SECURITY_NATIVE_DREP, &hNewContext, &OutputToken, &ulUnused, &Expiry ); if (NT_SUCCESS(Status)) { AFPTIME CurrentTime; NTSTATUS SecStatus; if (pSda->sda_ClientType != SDA_CLIENT_GUEST) { SecPkgContext_PasswordExpiry PasswordExpires; // Get the kickoff time from the profile buffer. Round this to // even # of SESSION_CHECK_TIME units SecStatus = QueryContextAttributes( &hNewContext, SECPKG_ATTR_PASSWORD_EXPIRY, &PasswordExpires ); if( SecStatus == NO_ERROR ) { AfpGetCurrentTimeInMacFormat(&CurrentTime); pSda->sda_tTillKickOff = (DWORD) ( AfpConvertTimeToMacFormat(&PasswordExpires.tsPasswordExpires) - CurrentTime ); pSda->sda_tTillKickOff -= pSda->sda_tTillKickOff % SESSION_CHECK_TIME; } else { DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR, ("AfpLogonUser: QueryContextAttributes failed %lx\n",SecStatus)); } } // return stuff from subauth pSfmResp = (PARAP_SUBAUTH_RESP)&OutToken->UserSessionKey[0]; ResponseHigh = pSfmResp->Response.high; ResponseLow = pSfmResp->Response.low; SubStatus = NtFreeVirtualMemory(NtCurrentProcess( ), (PVOID *)&InToken, &AllocateSize, MEM_RELEASE); ASSERT(NT_SUCCESS(SubStatus)); // // 2-Way authentication? client expects us to send a response to // the challenge that it sent // if (pSda->sda_ClientType == SDA_CLIENT_TWOWAY) { pSda->sda_ReplySize = RANDNUM_RESP_LEN; if (AfpAllocReplyBuf(pSda) != AFP_ERR_NONE) { return(AFP_ERR_USER_NOT_AUTH); } pTmp = pSda->sda_ReplyBuf; PUTBYTE42BYTE4(pTmp, (PBYTE)&ResponseHigh); pTmp += sizeof(DWORD); PUTBYTE42BYTE4(pTmp, (PBYTE)&ResponseLow); } else if (pSda->sda_ClientType == SDA_CLIENT_MSUAM_V2) { pSda->sda_ReplySize = sizeof(DWORD); if (AfpAllocReplyBuf(pSda) != AFP_ERR_NONE) { return(AFP_ERR_USER_NOT_AUTH); } pTmp = pSda->sda_ReplyBuf; PUTBYTE42BYTE4(pTmp, (PBYTE)&pSda->sda_tTillKickOff); } } else // if (NT_SUCCESS(Status) != NO_ERROR) { NTSTATUS ExtErrCode = Status; DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR, ("AfpLogonUser: AcceptSecurityContext() failed with %X\n", Status)); SubStatus = NtFreeVirtualMemory(NtCurrentProcess(), (PVOID *)&InToken, &AllocateSize, MEM_RELEASE ); ASSERT(NT_SUCCESS(SubStatus)); // Set extended error codes here if using custom UAM or AFP 2.1 Status = AFP_ERR_USER_NOT_AUTH; // default // The mac will map this to a session error dialog for each UAM. // The dialog may be a little different for different versions of // the mac OS and each UAM, but will always have something to do // with getting the message across about no more sessions available. if (ExtErrCode == STATUS_LICENSE_QUOTA_EXCEEDED) { DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR, ("AfpLogonUser: License Quota Exceeded: returning ASP_SERVER_BUSY\n")); return (ASP_SERVER_BUSY); } if ((pSda->sda_ClientVersion >= AFP_VER_21) && (pSda->sda_ClientType != SDA_CLIENT_MSUAM_V2) && (pSda->sda_ClientType != SDA_CLIENT_MSUAM_V2)) { if ((ExtErrCode == STATUS_PASSWORD_EXPIRED) || (ExtErrCode == STATUS_PASSWORD_MUST_CHANGE)) Status = AFP_ERR_PWD_EXPIRED; } else if ((pSda->sda_ClientType == SDA_CLIENT_MSUAM_V1) || (pSda->sda_ClientType == SDA_CLIENT_MSUAM_V2)) { if ((ExtErrCode == STATUS_PASSWORD_EXPIRED) || (ExtErrCode == STATUS_PASSWORD_MUST_CHANGE)) Status = AFP_ERR_PASSWORD_EXPIRED; else if ((ExtErrCode == STATUS_ACCOUNT_DISABLED) || (ExtErrCode == STATUS_ACCOUNT_LOCKED_OUT)) Status = AFP_ERR_ACCOUNT_DISABLED; else if (ExtErrCode == STATUS_INVALID_LOGON_HOURS) Status = AFP_ERR_INVALID_LOGON_HOURS; else if (ExtErrCode == STATUS_INVALID_WORKSTATION) Status = AFP_ERR_INVALID_WORKSTATION; } return( Status ); } // // get the token out using the context // Status = QuerySecurityContextToken( &hNewContext, &pSda->sda_UserToken ); if (!NT_SUCCESS(Status)) { DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR, ("AfpLogonUser: QuerySecurityContextToken() failed with %X\n", Status)); pSda->sda_UserToken = NULL; // just paranoia return(Status); } Status = DeleteSecurityContext( &hNewContext ); if (!NT_SUCCESS(Status)) { DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR, ("AfpLogonUser: DeleteSecurityContext() failed with %X\n", Status)); } Status = AfpGetUserAndPrimaryGroupSids(pSda); if (!NT_SUCCESS(Status)) { DBGPRINT(DBG_COMP_SECURITY, DBG_LEVEL_ERR, ("AfpLogonUser: AfpGetUserAndPrimaryGroupSids() failed with %X\n", Status)); AFPLOG_ERROR(AFPSRVMSG_LOGON, Status, NULL, 0, NULL); return( Status ); } #ifdef INHERIT_DIRECTORY_PERMS // Convert the user and group sids to IDs AfpSidToMacId(pSda->sda_UserSid, &pSda->sda_UID); AfpSidToMacId(pSda->sda_GroupSid, &pSda->sda_GID); #else // Make a security descriptor for user Status = AfpMakeSecurityDescriptorForUser(pSda->sda_UserSid, pSda->sda_GroupSid, &pSda->sda_pSecDesc); #endif #ifdef OPTIMIZE_GUEST_LOGONS if (pSda->sda_ClientType == SDA_CLIENT_GUEST) { // Save the guest login token and security descriptor AfpSwmrAcquireExclusive(&AfpEtcMapLock); AfpGuestToken = pSda->sda_UserToken; #ifdef INHERIT_DIRECTORY_PERMS AfpSidToMacId(&AfpSidWorld, &AfpIdWorld); #else AfpGuestSecDesc = pSda->sda_pSecDesc; #endif AfpSwmrRelease(&AfpEtcMapLock); } #endif // OPTIMIZE_GUEST_LOGONS return Status; }