mirror of https://github.com/tongzx/nt5src
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
670 lines
15 KiB
670 lines
15 KiB
///////////////////////////////////////////////////////////////////////////////
|
|
//
|
|
// Copyright (c) 1998, Microsoft Corp. All rights reserved.
|
|
//
|
|
// FILE
|
|
//
|
|
// subauth.c
|
|
//
|
|
// SYNOPSIS
|
|
//
|
|
// Declares the subauthentication and password change notification routines
|
|
// for MD5-CHAP.
|
|
//
|
|
// MODIFICATION HISTORY
|
|
//
|
|
// 09/01/1998 Original version.
|
|
// 11/02/1998 Handle change notifications on a separate thread.
|
|
// 11/03/1998 NewPassword may be NULL.
|
|
// 11/12/1998 Use private heap.
|
|
// Use CreateThread.
|
|
// 03/08/1999 Only store passwords for user accounts.
|
|
// 03/29/1999 Initialize out parameters to NULL when calling
|
|
// SamrQueryInformationUser.
|
|
//
|
|
///////////////////////////////////////////////////////////////////////////////
|
|
|
|
#include <nt.h>
|
|
#include <ntrtl.h>
|
|
#include <nturtl.h>
|
|
#include <ntlsa.h>
|
|
#include <windows.h>
|
|
|
|
#include <samrpc.h>
|
|
#include <samisrv.h>
|
|
#include <lsarpc.h>
|
|
#include <lsaisrv.h>
|
|
|
|
#include <lmcons.h>
|
|
#include <logonmsv.h>
|
|
#include <rasfmsub.h>
|
|
|
|
#include <cleartxt.h>
|
|
#include <md5.h>
|
|
#include <md5port.h>
|
|
#include <rassfmhp.h>
|
|
|
|
// Non-zero if the API is locked.
|
|
static LONG theLock;
|
|
|
|
//////////
|
|
// Macros to lock/unlock the API during intialization.
|
|
//////////
|
|
#define API_LOCK() \
|
|
while (InterlockedExchange(&theLock, 1)) Sleep(5)
|
|
|
|
#define API_UNLOCK() \
|
|
InterlockedExchange(&theLock, 0)
|
|
|
|
// Cached handle to the local account domain.
|
|
SAMPR_HANDLE theAccountDomain;
|
|
|
|
// TRUE if we have a handle to the local account domain.
|
|
static BOOL theConnectFlag;
|
|
|
|
//////////
|
|
// Macro that ensures we have a connection and bails on failure.
|
|
//////////
|
|
#define CHECK_CONNECT() \
|
|
if (!theConnectFlag) { \
|
|
status = ConnectToDomain(); \
|
|
if (!NT_SUCCESS(status)) { return status; } \
|
|
}
|
|
|
|
//////////
|
|
// Initializes the cached handle to the local account domain.
|
|
//////////
|
|
NTSTATUS
|
|
NTAPI
|
|
ConnectToDomain( VOID )
|
|
{
|
|
NTSTATUS status;
|
|
PLSAPR_POLICY_INFORMATION policyInfo;
|
|
SAMPR_HANDLE hServer;
|
|
|
|
API_LOCK();
|
|
|
|
// If we've already been initialized, there's nothing to do.
|
|
if (theConnectFlag)
|
|
{
|
|
status = STATUS_SUCCESS;
|
|
goto exit;
|
|
}
|
|
|
|
//////////
|
|
// Open a handle to the local account domain.
|
|
//////////
|
|
|
|
policyInfo = NULL;
|
|
status = LsaIQueryInformationPolicyTrusted(
|
|
PolicyAccountDomainInformation,
|
|
&policyInfo
|
|
);
|
|
if (!NT_SUCCESS(status)) { goto exit; }
|
|
|
|
status = SamIConnect(
|
|
NULL,
|
|
&hServer,
|
|
0,
|
|
TRUE
|
|
);
|
|
if (!NT_SUCCESS(status)) { goto free_info; }
|
|
|
|
status = SamrOpenDomain(
|
|
hServer,
|
|
0,
|
|
(PRPC_SID)policyInfo->PolicyAccountDomainInfo.DomainSid,
|
|
&theAccountDomain
|
|
);
|
|
|
|
// Did we succeed ?
|
|
if (NT_SUCCESS(status)) { theConnectFlag = TRUE; }
|
|
|
|
SamrCloseHandle(&hServer);
|
|
|
|
free_info:
|
|
LsaIFree_LSAPR_POLICY_INFORMATION(
|
|
PolicyAccountDomainInformation,
|
|
policyInfo
|
|
);
|
|
|
|
exit:
|
|
API_UNLOCK();
|
|
return status;
|
|
}
|
|
|
|
//////////
|
|
// Returns a SAM handle for the local account domain.
|
|
// This handle must not be closed.
|
|
//////////
|
|
NTSTATUS
|
|
NTAPI
|
|
GetDomainHandle(
|
|
OUT SAMPR_HANDLE *DomainHandle
|
|
)
|
|
{
|
|
NTSTATUS status;
|
|
|
|
CHECK_CONNECT();
|
|
|
|
*DomainHandle = theAccountDomain;
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
//////////
|
|
// Returns a SAM handle for the given user.
|
|
// The caller is responsible for closing the returned handle.
|
|
//////////
|
|
NTSTATUS
|
|
NTAPI
|
|
GetUserHandle(
|
|
IN PUNICODE_STRING UserName,
|
|
OUT SAMPR_HANDLE *UserHandle
|
|
)
|
|
{
|
|
NTSTATUS status;
|
|
SAMPR_ULONG_ARRAY RidArray;
|
|
SAMPR_ULONG_ARRAY UseArray;
|
|
|
|
CHECK_CONNECT();
|
|
|
|
RidArray.Element = NULL;
|
|
UseArray.Element = NULL;
|
|
|
|
status = SamrLookupNamesInDomain(
|
|
theAccountDomain,
|
|
1,
|
|
(PRPC_UNICODE_STRING)UserName,
|
|
&RidArray,
|
|
&UseArray
|
|
);
|
|
if (!NT_SUCCESS(status)) { goto exit; }
|
|
|
|
if (UseArray.Element[0] != SidTypeUser)
|
|
{
|
|
status = STATUS_NONE_MAPPED;
|
|
goto free_arrays;
|
|
}
|
|
|
|
status = SamrOpenUser(
|
|
theAccountDomain,
|
|
0,
|
|
RidArray.Element[0],
|
|
UserHandle
|
|
);
|
|
|
|
free_arrays:
|
|
SamIFree_SAMPR_ULONG_ARRAY( &UseArray );
|
|
SamIFree_SAMPR_ULONG_ARRAY( &RidArray );
|
|
|
|
exit:
|
|
return status;
|
|
}
|
|
|
|
/////////
|
|
// Process an MD5-CHAP authentication.
|
|
/////////
|
|
NTSTATUS
|
|
NTAPI
|
|
ProcessMD5ChapAuthentication(
|
|
IN SAM_HANDLE UserHandle,
|
|
IN PUSER_ALL_INFORMATION UserAll,
|
|
IN UCHAR ChallengeId,
|
|
IN DWORD ChallengeLength,
|
|
IN PUCHAR Challenge,
|
|
IN PUCHAR Response
|
|
)
|
|
{
|
|
NTSTATUS status;
|
|
UNICODE_STRING uniPwd;
|
|
ANSI_STRING ansiPwd;
|
|
MD5_CTX context;
|
|
|
|
/////////
|
|
// Retrieve the cleartext password.
|
|
/////////
|
|
|
|
status = RetrieveCleartextPassword(
|
|
UserHandle,
|
|
UserAll,
|
|
&uniPwd
|
|
);
|
|
if (status != STATUS_SUCCESS) { return status; }
|
|
|
|
//////////
|
|
// Convert the password to ANSI.
|
|
//////////
|
|
|
|
status = RtlUnicodeStringToAnsiString(
|
|
&ansiPwd,
|
|
&uniPwd,
|
|
TRUE
|
|
);
|
|
|
|
// We're through with the Unicode password.
|
|
RtlFreeUnicodeString(&uniPwd);
|
|
|
|
if (!NT_SUCCESS(status)) { return STATUS_WRONG_PASSWORD; }
|
|
|
|
//////////
|
|
// Compute the correct response.
|
|
//////////
|
|
|
|
MD5Init(&context);
|
|
MD5Update(&context, &ChallengeId, 1);
|
|
MD5Update(&context, (PBYTE)ansiPwd.Buffer, ansiPwd.Length);
|
|
MD5Update(&context, Challenge, ChallengeLength);
|
|
MD5Final(&context);
|
|
|
|
// We're through with the ANSI password.
|
|
RtlFreeAnsiString(&ansiPwd);
|
|
|
|
//////////
|
|
// Does the actual response match the correct response ?
|
|
//////////
|
|
|
|
if (memcmp(context.digest, Response, 16) == 0)
|
|
{
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
return STATUS_WRONG_PASSWORD;
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
MD5ChapSubAuthentication(
|
|
IN SAM_HANDLE UserHandle,
|
|
IN PUSER_ALL_INFORMATION UserAll,
|
|
IN PRAS_SUBAUTH_INFO RasInfo
|
|
)
|
|
{
|
|
MD5CHAP_SUBAUTH_INFO* info = (MD5CHAP_SUBAUTH_INFO*)(RasInfo->Data);
|
|
return ProcessMD5ChapAuthentication(
|
|
UserHandle,
|
|
UserAll,
|
|
info->uchChallengeId,
|
|
sizeof(info->uchChallenge),
|
|
info->uchChallenge,
|
|
info->uchResponse
|
|
);
|
|
}
|
|
|
|
|
|
NTSTATUS
|
|
NTAPI
|
|
MD5ChapExSubAuthentication(
|
|
IN SAM_HANDLE UserHandle,
|
|
IN PUSER_ALL_INFORMATION UserAll,
|
|
IN PRAS_SUBAUTH_INFO RasInfo
|
|
)
|
|
{
|
|
MD5CHAP_EX_SUBAUTH_INFO* info = (MD5CHAP_EX_SUBAUTH_INFO*)(RasInfo->Data);
|
|
DWORD challengeLength = RasInfo->DataSize -
|
|
sizeof(MD5CHAP_EX_SUBAUTH_INFO) + 1;
|
|
return ProcessMD5ChapAuthentication(
|
|
UserHandle,
|
|
UserAll,
|
|
info->uchChallengeId,
|
|
challengeLength,
|
|
info->uchChallenge,
|
|
info->uchResponse
|
|
);
|
|
}
|
|
|
|
//////////
|
|
// Entry point for the subauthentication DLL.
|
|
//////////
|
|
NTSTATUS
|
|
NTAPI
|
|
Msv1_0SubAuthenticationRoutine(
|
|
IN NETLOGON_LOGON_INFO_CLASS LogonLevel,
|
|
IN PVOID LogonInformation,
|
|
IN ULONG Flags,
|
|
IN PUSER_ALL_INFORMATION UserAll,
|
|
OUT PULONG WhichFields,
|
|
OUT PULONG UserFlags,
|
|
OUT PBOOLEAN Authoritative,
|
|
OUT PLARGE_INTEGER LogoffTime,
|
|
OUT PLARGE_INTEGER KickoffTime
|
|
)
|
|
{
|
|
NTSTATUS status;
|
|
LARGE_INTEGER logonTime;
|
|
PNETLOGON_NETWORK_INFO logonInfo;
|
|
PRAS_SUBAUTH_INFO rasInfo;
|
|
MD5CHAP_SUBAUTH_INFO *chapInfo;
|
|
PWSTR password;
|
|
UNICODE_STRING uniPassword;
|
|
SAMPR_HANDLE hUser;
|
|
|
|
/////////
|
|
// Initialize the out parameters.
|
|
/////////
|
|
|
|
*WhichFields = 0;
|
|
*UserFlags = 0;
|
|
*Authoritative = TRUE;
|
|
|
|
/////////
|
|
// Check some basic restrictions.
|
|
/////////
|
|
|
|
if (LogonLevel != NetlogonNetworkInformation)
|
|
{
|
|
return STATUS_INVALID_INFO_CLASS;
|
|
}
|
|
|
|
if (UserAll->UserAccountControl & USER_ACCOUNT_DISABLED)
|
|
{
|
|
return STATUS_ACCOUNT_DISABLED;
|
|
}
|
|
|
|
NtQuerySystemTime(&logonTime);
|
|
|
|
if (UserAll->AccountExpires.QuadPart != 0 &&
|
|
UserAll->AccountExpires.QuadPart <= logonTime.QuadPart)
|
|
{
|
|
return STATUS_ACCOUNT_EXPIRED;
|
|
}
|
|
|
|
if (UserAll->PasswordMustChange.QuadPart <= logonTime.QuadPart)
|
|
{
|
|
return UserAll->PasswordLastSet.QuadPart ? STATUS_PASSWORD_EXPIRED
|
|
: STATUS_PASSWORD_MUST_CHANGE;
|
|
}
|
|
|
|
/////////
|
|
// Extract the MD5CHAP_SUBAUTH_INFO struct.
|
|
/////////
|
|
|
|
logonInfo = (PNETLOGON_NETWORK_INFO)LogonInformation;
|
|
rasInfo = (PRAS_SUBAUTH_INFO)logonInfo->NtChallengeResponse.Buffer;
|
|
|
|
if (rasInfo == NULL ||
|
|
logonInfo->NtChallengeResponse.Length < sizeof(RAS_SUBAUTH_INFO) ||
|
|
rasInfo->ProtocolType != RAS_SUBAUTH_PROTO_MD5CHAP ||
|
|
rasInfo->DataSize != sizeof(MD5CHAP_SUBAUTH_INFO))
|
|
{
|
|
return STATUS_INVALID_PARAMETER;
|
|
}
|
|
|
|
chapInfo = (MD5CHAP_SUBAUTH_INFO*)rasInfo->Data;
|
|
|
|
/////////
|
|
// Open a handle to the user object.
|
|
/////////
|
|
|
|
status = GetUserHandle(
|
|
&(logonInfo->Identity.UserName),
|
|
&hUser
|
|
);
|
|
if (status != NO_ERROR) { return status; }
|
|
|
|
/////////
|
|
// Verify the MD5-CHAP password.
|
|
/////////
|
|
|
|
status = ProcessMD5ChapAuthentication(
|
|
hUser,
|
|
UserAll,
|
|
chapInfo->uchChallengeId,
|
|
sizeof(chapInfo->uchChallenge),
|
|
chapInfo->uchChallenge,
|
|
chapInfo->uchResponse
|
|
);
|
|
if (status != NO_ERROR) { goto close_user; }
|
|
|
|
/////////
|
|
// Check account restrictions.
|
|
/////////
|
|
|
|
status = SamIAccountRestrictions(
|
|
hUser,
|
|
NULL,
|
|
NULL,
|
|
&UserAll->LogonHours,
|
|
LogoffTime,
|
|
KickoffTime
|
|
);
|
|
|
|
close_user:
|
|
SamrCloseHandle(&hUser);
|
|
|
|
return status;
|
|
}
|
|
|
|
/////////
|
|
// Info needed to process a change notification.
|
|
/////////
|
|
typedef struct _PWD_CHANGE_INFO {
|
|
ULONG RelativeId;
|
|
WCHAR NewPassword[1];
|
|
} PWD_CHANGE_INFO, *PPWD_CHANGE_INFO;
|
|
|
|
/////////
|
|
// Start routine for notification worker thread.
|
|
/////////
|
|
DWORD
|
|
WINAPI
|
|
PasswordChangeNotifyWorker(
|
|
IN PPWD_CHANGE_INFO ChangeInfo
|
|
)
|
|
{
|
|
NTSTATUS status;
|
|
SAMPR_HANDLE hUser;
|
|
PUSER_CONTROL_INFORMATION uci;
|
|
ULONG accountControl;
|
|
USER_PARAMETERS_INFORMATION *oldInfo, newInfo;
|
|
BOOL cleartextAllowed;
|
|
PWSTR oldUserParms, newUserParms;
|
|
|
|
//////////
|
|
// Ensure we're connected to the SAM domain.
|
|
//////////
|
|
|
|
if (!theConnectFlag)
|
|
{
|
|
status = ConnectToDomain();
|
|
if (!NT_SUCCESS(status)) { goto exit; }
|
|
}
|
|
|
|
//////////
|
|
// Retrieve the UserParameters
|
|
//////////
|
|
|
|
status = SamrOpenUser(
|
|
theAccountDomain,
|
|
0,
|
|
ChangeInfo->RelativeId,
|
|
&hUser
|
|
);
|
|
if (!NT_SUCCESS(status)) { goto exit; }
|
|
|
|
uci = NULL;
|
|
status = SamrQueryInformationUser(
|
|
hUser,
|
|
UserControlInformation,
|
|
(PSAMPR_USER_INFO_BUFFER*)&uci
|
|
);
|
|
if (!NT_SUCCESS(status)) { goto close_user; }
|
|
|
|
// Save the info ...
|
|
accountControl = uci->UserAccountControl;
|
|
|
|
// ... and free the buffer.
|
|
SamIFree_SAMPR_USER_INFO_BUFFER(
|
|
(PSAMPR_USER_INFO_BUFFER)uci,
|
|
UserControlInformation
|
|
);
|
|
|
|
// We're only interested in normal accounts.
|
|
if (!(accountControl & USER_NORMAL_ACCOUNT)) { goto close_user; }
|
|
|
|
oldInfo = NULL;
|
|
status = SamrQueryInformationUser(
|
|
hUser,
|
|
UserParametersInformation,
|
|
(PSAMPR_USER_INFO_BUFFER*)&oldInfo
|
|
);
|
|
if (!NT_SUCCESS(status)) { goto close_user; }
|
|
|
|
//////////
|
|
// Make a null-terminated copy.
|
|
//////////
|
|
|
|
oldUserParms = (PWSTR)
|
|
RtlAllocateHeap(
|
|
RasSfmHeap(),
|
|
0,
|
|
oldInfo->Parameters.Length + sizeof(WCHAR)
|
|
);
|
|
if (oldUserParms == NULL)
|
|
{
|
|
status = STATUS_NO_MEMORY;
|
|
goto free_user_info;
|
|
}
|
|
|
|
memcpy(
|
|
oldUserParms,
|
|
oldInfo->Parameters.Buffer,
|
|
oldInfo->Parameters.Length
|
|
);
|
|
|
|
oldUserParms[oldInfo->Parameters.Length / sizeof(WCHAR)] = L'\0';
|
|
|
|
//////////
|
|
// Should we store the cleartext password in UserParameters?
|
|
//////////
|
|
|
|
status = IsCleartextEnabled(
|
|
hUser,
|
|
&cleartextAllowed
|
|
);
|
|
if (!NT_SUCCESS(status)) { goto free_user_parms; }
|
|
|
|
newUserParms = NULL;
|
|
|
|
if (cleartextAllowed)
|
|
{
|
|
// We either set the new password ...
|
|
status = IASParmsSetUserPassword(
|
|
oldUserParms,
|
|
ChangeInfo->NewPassword,
|
|
&newUserParms
|
|
);
|
|
}
|
|
else
|
|
{
|
|
// ... or we erase the old one.
|
|
status = IASParmsClearUserPassword(
|
|
oldUserParms,
|
|
&newUserParms
|
|
);
|
|
}
|
|
|
|
// Write the UserParameters back to SAM if necessary.
|
|
if (NT_SUCCESS(status) && newUserParms != NULL)
|
|
{
|
|
newInfo.Parameters.Length = (USHORT)(sizeof(WCHAR) * (lstrlenW(newUserParms) + 1));
|
|
newInfo.Parameters.MaximumLength = newInfo.Parameters.Length;
|
|
newInfo.Parameters.Buffer = newUserParms;
|
|
|
|
status = SamrSetInformationUser(
|
|
hUser,
|
|
UserParametersInformation,
|
|
(PSAMPR_USER_INFO_BUFFER)&newInfo
|
|
);
|
|
|
|
IASParmsFreeUserParms(newUserParms);
|
|
}
|
|
|
|
free_user_parms:
|
|
RtlFreeHeap(
|
|
RasSfmHeap(),
|
|
0,
|
|
oldUserParms
|
|
);
|
|
|
|
free_user_info:
|
|
SamIFree_SAMPR_USER_INFO_BUFFER(
|
|
(PSAMPR_USER_INFO_BUFFER)oldInfo,
|
|
UserParametersInformation
|
|
);
|
|
|
|
close_user:
|
|
SamrCloseHandle(&hUser);
|
|
|
|
exit:
|
|
RtlFreeHeap(
|
|
RasSfmHeap(),
|
|
0,
|
|
ChangeInfo
|
|
);
|
|
|
|
return status;
|
|
}
|
|
|
|
//////////
|
|
// Password change DLL entry point.
|
|
//////////
|
|
NTSTATUS
|
|
NTAPI
|
|
PasswordChangeNotify(
|
|
IN PUNICODE_STRING UserName,
|
|
IN ULONG RelativeId,
|
|
IN PUNICODE_STRING NewPassword
|
|
)
|
|
{
|
|
ULONG length;
|
|
PPWD_CHANGE_INFO info;
|
|
HANDLE hWorker;
|
|
DWORD threadId;
|
|
|
|
// Calculate the length of the new password.
|
|
length = NewPassword ? NewPassword->Length : 0;
|
|
|
|
// Allocate the PWD_CHANGE_INFO struct.
|
|
info = (PPWD_CHANGE_INFO)
|
|
RtlAllocateHeap(
|
|
RasSfmHeap(),
|
|
0,
|
|
sizeof(PWD_CHANGE_INFO) + length
|
|
);
|
|
if (info == NULL) { return STATUS_NO_MEMORY; }
|
|
|
|
// Save the RelativeId.
|
|
info->RelativeId = RelativeId;
|
|
|
|
// Save the NewPassword.
|
|
if (length) { memcpy(info->NewPassword, NewPassword->Buffer, length); }
|
|
|
|
// Make sure it's null-terminated.
|
|
info->NewPassword[length / sizeof(WCHAR)] = L'\0';
|
|
|
|
// Create a worker thread.
|
|
hWorker = CreateThread(
|
|
NULL,
|
|
0,
|
|
PasswordChangeNotifyWorker,
|
|
info,
|
|
0,
|
|
&threadId
|
|
);
|
|
|
|
if (hWorker)
|
|
{
|
|
CloseHandle(hWorker);
|
|
|
|
return STATUS_SUCCESS;
|
|
}
|
|
|
|
RtlFreeHeap(
|
|
RasSfmHeap(),
|
|
0,
|
|
info
|
|
);
|
|
|
|
return STATUS_UNSUCCESSFUL;
|
|
}
|