Microsoft/WindowsXP-SP1
Microsoft
/
WindowsXP-SP1
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
WindowsXP-SP1/ds/nw/rdr/ndslogin.c

3573 lines
108 KiB
C
Raw Permalink Blame History

/*++
Copyright (c) 1995 Microsoft Corporation
Module Name:
NdsLogin.c
Abstract:
This file implements the functionality required to
perform an NDS login.
Author:
Cory West [CoryWest] 23-Feb-1995
Revision History:
--*/
#include "Procs.h"
#define Dbg (DEBUG_TRACE_NDS)
//
// Pageable.
//
#pragma alloc_text( PAGE, NdsCanonUserName )
#pragma alloc_text( PAGE, NdsCheckCredentials )
#pragma alloc_text( PAGE, NdsCheckCredentialsEx )
#pragma alloc_text( PAGE, NdsLookupCredentials )
#pragma alloc_text( PAGE, NdsLookupCredentials2 )
#pragma alloc_text( PAGE, NdsGetCredentials )
#pragma alloc_text( PAGE, DoNdsLogon )
#pragma alloc_text( PAGE, BeginLogin )
#pragma alloc_text( PAGE, FinishLogin )
#pragma alloc_text( PAGE, ChangeNdsPassword )
#pragma alloc_text( PAGE, NdsServerAuthenticate )
#pragma alloc_text( PAGE, BeginAuthenticate )
#pragma alloc_text( PAGE, NdsLicenseConnection )
#pragma alloc_text( PAGE, NdsUnlicenseConnection )
#pragma alloc_text( PAGE, NdsGetBsafeKey )
//
// Non pageable:
//
// NdsTreeLogin (holds a spin lock)
// NdsLogoff (holds a spin lock)
//
VOID
Shuffle(
UCHAR *achObjectId,
UCHAR *szUpperPassword,
int iPasswordLen,
UCHAR *achOutputBuffer
);
NTSTATUS
NdsCanonUserName(
IN PNDS_SECURITY_CONTEXT pNdsContext,
IN PUNICODE_STRING puUserName,
IN OUT PUNICODE_STRING puCanonUserName
)
/*+++
Canonicalize the user name for the given tree and
current connection state. Canonicalization includes
handling the correct context and cleaning off all
the X500 prefixes.
ALERT! The credential list must be held (shared or
exclusive) while this function is called.
---*/
{
NTSTATUS Status = STATUS_SUCCESS;
USHORT CurrentTargetIndex;
USHORT PrefixBytes;
UNICODE_STRING UnstrippedName;
PWCHAR CanonBuffer;
PAGED_CODE();
CanonBuffer = ALLOCATE_POOL( PagedPool, MAX_NDS_NAME_SIZE );
if ( !CanonBuffer ) {
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// If the name starts with a dot, it's referenced from the root
// of the tree and we should not append the context. We should,
// however, strip off the leading dot so that name resolution
// will work.
//
if ( puUserName->Buffer[0] == L'.' ) {
UnstrippedName.Length = puUserName->Length - sizeof( WCHAR );
UnstrippedName.MaximumLength = UnstrippedName.Length;
UnstrippedName.Buffer = &(puUserName->Buffer[1]);
goto StripPrefixes;
}
//
// If the name contains any dots, it's qualified and we
// should probably just use it as is.
//
CurrentTargetIndex= 0;
while ( CurrentTargetIndex< ( puUserName->Length / sizeof( WCHAR ) ) ) {
if ( puUserName->Buffer[CurrentTargetIndex] == L'.' ) {
UnstrippedName.Length = puUserName->Length;
UnstrippedName.MaximumLength = puUserName->Length;
UnstrippedName.Buffer = puUserName->Buffer;
goto StripPrefixes;
}
CurrentTargetIndex++;
}
//
// If we have a context for this tree and the name isn't
// qualified, we should append the context.
//
if ( pNdsContext->CurrentContext.Length ) {
if ( ( puUserName->Length +
pNdsContext->CurrentContext.Length ) >= MAX_NDS_NAME_SIZE ) {
DebugTrace( 0, Dbg, "NDS canon name too long.\n", 0 );
Status = STATUS_INVALID_PARAMETER;
goto ExitWithCleanup;
}
RtlCopyMemory( CanonBuffer, puUserName->Buffer, puUserName->Length );
CanonBuffer[puUserName->Length / sizeof( WCHAR )] = L'.';
RtlCopyMemory( ((BYTE *)CanonBuffer) + puUserName->Length + sizeof( WCHAR ),
pNdsContext->CurrentContext.Buffer,
pNdsContext->CurrentContext.Length );
UnstrippedName.Length = puUserName->Length +
pNdsContext->CurrentContext.Length +
sizeof( WCHAR );
UnstrippedName.MaximumLength = MAX_NDS_NAME_SIZE;
UnstrippedName.Buffer = CanonBuffer;
goto StripPrefixes;
}
//
// It wasn't qualified, nor was there a context to append, so fail it.
//
DebugTrace( 0, Dbg, "The name %wZ is not canonicalizable.\n", puUserName );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
StripPrefixes:
//
// All of these indexes are in BYTES, not WCHARS!
//
CurrentTargetIndex = 0;
PrefixBytes = 0;
puCanonUserName->Length = 0;
while ( ( CurrentTargetIndex < UnstrippedName.Length ) &&
( puCanonUserName->Length < puCanonUserName->MaximumLength ) ) {
//
// Strip off the X.500 prefixes.
//
if ( UnstrippedName.Buffer[CurrentTargetIndex / sizeof( WCHAR )] == L'=' ) {
CurrentTargetIndex += sizeof( WCHAR );
puCanonUserName->Length -= PrefixBytes;
PrefixBytes = 0;
continue;
}
puCanonUserName->Buffer[puCanonUserName->Length / sizeof( WCHAR )] =
UnstrippedName.Buffer[CurrentTargetIndex / sizeof( WCHAR )];
puCanonUserName->Length += sizeof( WCHAR );
CurrentTargetIndex += sizeof( WCHAR );
if ( UnstrippedName.Buffer[CurrentTargetIndex / sizeof( WCHAR )] == L'.' ) {
PrefixBytes = 0;
PrefixBytes -= sizeof( WCHAR );
} else {
PrefixBytes += sizeof( WCHAR );
}
}
DebugTrace( 0, Dbg, "Canonicalized name: %wZ\n", puCanonUserName );
ExitWithCleanup:
FREE_POOL( CanonBuffer );
return Status;
}
NTSTATUS
NdsCheckCredentials(
IN PIRP_CONTEXT pIrpContext,
IN PUNICODE_STRING puUserName,
IN PUNICODE_STRING puPassword
)
/*++
Given a set of credentials and a username and password,
we need to determine if username and password match those
that were used to acquire the credentials.
--*/
{
NTSTATUS Status;
PLOGON pLogon;
PNONPAGED_SCB pNpScb;
PSCB pScb;
PNDS_SECURITY_CONTEXT pCredentials;
PAGED_CODE();
//
// Grab the user's LOGON structure and credentials.
//
pNpScb = pIrpContext->pNpScb;
pScb = pNpScb->pScb;
NwAcquireExclusiveRcb( &NwRcb, TRUE );
pLogon = FindUser( &pScb->UserUid, FALSE );
NwReleaseRcb( &NwRcb );
if ( !pLogon ) {
DebugTrace( 0, Dbg, "Invalid client security context in NdsCheckCredentials.\n", 0 );
return STATUS_ACCESS_DENIED;
}
Status = NdsLookupCredentials( pIrpContext,
&pScb->NdsTreeName,
pLogon,
&pCredentials,
CREDENTIAL_READ,
FALSE );
if( NT_SUCCESS( Status ) ) {
if ( pCredentials->CredentialLocked ) {
Status = STATUS_DEVICE_BUSY;
} else {
Status = NdsCheckCredentialsEx( pIrpContext,
pLogon,
pCredentials,
puUserName,
puPassword );
}
NwReleaseCredList( pLogon, pIrpContext );
}
return Status;
}
NTSTATUS
NdsCheckCredentialsEx(
IN PIRP_CONTEXT pIrpContext,
IN PLOGON pLogon,
IN PNDS_SECURITY_CONTEXT pNdsContext,
IN PUNICODE_STRING puUserName,
IN PUNICODE_STRING puPassword
)
/*++
Given a set of credentials and a username and password,
we need to determine if username and password match those
that were used to acquire the credentials.
ALERT! The credential list must be held (either shared or
exclusive) while this function is called.
--*/
{
NTSTATUS Status = STATUS_SUCCESS;
UNICODE_STRING CredentialName;
UNICODE_STRING CanonCredentialName, CanonUserName;
PWCHAR CredNameBuffer;
PWCHAR UserNameBuffer;
UNICODE_STRING StoredPassword;
PWCHAR Stored;
PAGED_CODE();
//
// If we haven't logged into to the tree, there is no security
// conflict. Otherwise, run the check.
//
//
// There are occasions when the credential structure will be NULL
// This is when supplemental credentials are provided and an empty
// credential shell is created by ExCreateReferenceCredentials. In
// such cases, we can safely report back a credential conflict.
//
if ( pNdsContext->Credential == NULL) {
DebugTrace( 0, Dbg, "NdsCheckCredentialsEx: Credential conflict due to emtpy cred shell\n", 0);
Status = STATUS_NETWORK_CREDENTIAL_CONFLICT;
return Status;
}
CredNameBuffer = ALLOCATE_POOL( NonPagedPool,
( 2 * MAX_NDS_NAME_SIZE ) +
( MAX_PW_CHARS * sizeof( WCHAR ) ) );
if ( !CredNameBuffer ) {
return STATUS_INSUFFICIENT_RESOURCES;
}
UserNameBuffer = (PWCHAR) (((BYTE *)CredNameBuffer) + MAX_NDS_NAME_SIZE );
Stored = (PWCHAR) (((BYTE *)UserNameBuffer) + MAX_NDS_NAME_SIZE );
if ( puUserName && puUserName->Length ) {
//
// Canon the incoming name and the credential name.
//
CanonUserName.Length = 0;
CanonUserName.MaximumLength = MAX_NDS_NAME_SIZE;
CanonUserName.Buffer = UserNameBuffer;
Status = NdsCanonUserName( pNdsContext,
puUserName,
&CanonUserName );
if ( !NT_SUCCESS( Status )) {
Status = STATUS_NETWORK_CREDENTIAL_CONFLICT;
goto ExitWithCleanup;
}
CanonCredentialName.Length = 0;
CanonCredentialName.MaximumLength = MAX_NDS_NAME_SIZE;
CanonCredentialName.Buffer = CredNameBuffer;
CredentialName.Length = (USHORT)pNdsContext->Credential->userNameLength - sizeof( WCHAR );
CredentialName.MaximumLength = CredentialName.Length;
CredentialName.Buffer = (PWCHAR)( (PBYTE)(pNdsContext->Credential) +
sizeof( NDS_CREDENTIAL ) );
Status = NdsCanonUserName( pNdsContext,
&CredentialName,
&CanonCredentialName );
if ( !NT_SUCCESS( Status )) {
Status = STATUS_NETWORK_CREDENTIAL_CONFLICT;
goto ExitWithCleanup;
}
//
// See if they match.
//
if ( RtlCompareUnicodeString( &CanonUserName, &CanonCredentialName, TRUE )) {
DebugTrace( 0, Dbg, "NdsCheckCredentialsEx: user name conflict.\n", 0 );
Status = STATUS_NETWORK_CREDENTIAL_CONFLICT;
goto ExitWithCleanup;
}
}
//
// Now check the password.
//
StoredPassword.Length = 0;
StoredPassword.MaximumLength = MAX_PW_CHARS * sizeof( WCHAR );
StoredPassword.Buffer = Stored;
RtlOemStringToUnicodeString( &StoredPassword,
&pNdsContext->Password,
FALSE );
if ( puPassword && puPassword->Length ) {
if ( RtlCompareUnicodeString( puPassword,
&StoredPassword,
TRUE ) ) {
DebugTrace( 0, Dbg, "NdsCheckCredentialsEx: password conflict.\n", 0 );
Status = STATUS_WRONG_PASSWORD;
}
//
// In the case of a NULL incoming password, the length field will
// be zero but a buffer field exists.
//
} else if ( puPassword && !puPassword->Length && puPassword->Buffer) {
if (StoredPassword.Length != 0) {
DebugTrace( 0, Dbg, "NdsCheckCredentialsEx: password conflict.\n", 0 );
Status = STATUS_WRONG_PASSWORD;
}
}
ExitWithCleanup:
FREE_POOL( CredNameBuffer );
return Status;
}
NTSTATUS
NdsLookupCredentials(
IN PIRP_CONTEXT pIrpContext,
IN PUNICODE_STRING puTreeName,
IN PLOGON pLogon,
OUT PNDS_SECURITY_CONTEXT *ppCredentials,
DWORD dwDesiredAccess,
BOOLEAN fCreate
)
/*+++
Retrieve the nds credentials for the given tree from the
list of valid credentials for the specified user.
puTreeName - The name of the tree that we want credentials for. If NULL
is specified, we return the credentials for the default tree.
pLogon - The logon structure for the user we want to access the tree.
ppCredentials - Where to put the pointed to the credentials.
dwDesiredAccess - CREDENTIAL_READ if we want read/only access, CREDENTIAL_WRITE
if we're going to change the credentials.
fCreate - If the credentials don't exist, should we create them?
We return the credentials with the list held in the appropriate mode. The
caller is responsible for releasing the list when done with the credentials.
---*/
{
NTSTATUS Status;
PLIST_ENTRY pFirst, pNext;
PNDS_SECURITY_CONTEXT pNdsContext;
PAGED_CODE();
if (BooleanFlagOn( pIrpContext->Flags, IRP_FLAG_RECONNECT_ATTEMPT)) {
ASSERT( pIrpContext->pNpScb->Requests.Flink == &pIrpContext->NextRequest );
}
NwAcquireExclusiveCredList( pLogon, pIrpContext );
pFirst = &pLogon->NdsCredentialList;
pNext = pLogon->NdsCredentialList.Flink;
while ( pNext && ( pFirst != pNext ) ) {
pNdsContext = (PNDS_SECURITY_CONTEXT)
CONTAINING_RECORD( pNext,
NDS_SECURITY_CONTEXT,
Next );
ASSERT( pNdsContext->ntc == NW_NTC_NDS_CREDENTIAL );
if ( !puTreeName ||
!RtlCompareUnicodeString( puTreeName,
&pNdsContext->NdsTreeName,
TRUE ) ) {
//
// If the tree name is null, we'll return the first one
// on the list. Otherwise this will work as normal.
//
*ppCredentials = pNdsContext;
return STATUS_SUCCESS;
}
pNext = pNdsContext->Next.Flink;
}
//
// We didn't find the credential. Should we create it?
//
NwReleaseCredList( pLogon, pIrpContext );
if ( !fCreate || !puTreeName ) {
return STATUS_UNSUCCESSFUL;
}
//
// Acquire exclusive since we're mucking with the list.
//
NwAcquireExclusiveCredList( pLogon, pIrpContext );
pNdsContext = ( PNDS_SECURITY_CONTEXT )
ALLOCATE_POOL( PagedPool, sizeof( NDS_SECURITY_CONTEXT ) );
if ( !pNdsContext ) {
DebugTrace( 0, Dbg, "Out of memory in NdsLookupCredentials.\n", 0 );
Status = STATUS_INSUFFICIENT_RESOURCES;
goto UnlockAndExit;
}
//
// Initialize the structure.
//
RtlZeroMemory( pNdsContext, sizeof( NDS_SECURITY_CONTEXT ) );
pNdsContext->ntc = NW_NTC_NDS_CREDENTIAL;
pNdsContext->nts = sizeof( NDS_SECURITY_CONTEXT );
//
// Initialize the tree name.
//
pNdsContext->NdsTreeName.MaximumLength = sizeof( pNdsContext->NdsTreeNameBuffer );
pNdsContext->NdsTreeName.Buffer = pNdsContext->NdsTreeNameBuffer;
RtlCopyUnicodeString( &pNdsContext->NdsTreeName, puTreeName );
//
// Initialize the context buffer.
//
pNdsContext->CurrentContext.Length = 0;
pNdsContext->CurrentContext.MaximumLength = sizeof( pNdsContext->CurrentContextString );
pNdsContext->CurrentContext.Buffer = pNdsContext->CurrentContextString;
//
// Insert the context into the list.
//
InsertHeadList( &pLogon->NdsCredentialList, &pNdsContext->Next );
*ppCredentials = pNdsContext;
pNdsContext->pOwningLogon = pLogon;
//
// There's no chance that someone's going to come in during this
// small window and do a logout because there's no login data
// in the credentials.
//
return STATUS_SUCCESS;
UnlockAndExit:
NwReleaseCredList( pLogon, pIrpContext );
return STATUS_UNSUCCESSFUL;
}
NTSTATUS
NdsGetCredentials(
IN PIRP_CONTEXT pIrpContext,
IN PLOGON pLogon,
IN PUNICODE_STRING puUserName,
IN PUNICODE_STRING puPassword
)
/*++
Do an NDS tree login and aquire a valid set of credentials.
--*/
{
NTSTATUS Status;
USHORT i;
UNICODE_STRING LoginName, LoginPassword;
PWCHAR NdsName;
PWCHAR NdsPassword;
OEM_STRING OemPassword;
PBYTE OemPassBuffer;
PNDS_SECURITY_CONTEXT pNdsContext;
PAGED_CODE();
//
// Prepare our login name by canonicalizing the supplied user
// name or using a default user name if appropriate.
//
NdsName = ALLOCATE_POOL( NonPagedPool, MAX_NDS_NAME_SIZE +
MAX_PW_CHARS * sizeof( WCHAR ) +
MAX_PW_CHARS );
if ( !NdsName ) {
return STATUS_INSUFFICIENT_RESOURCES;
}
NdsPassword = (PWCHAR) (((BYTE *) NdsName) + MAX_NDS_NAME_SIZE );
OemPassBuffer = ((BYTE *) NdsPassword ) + ( MAX_PW_CHARS * sizeof( WCHAR ) );
LoginName.Length = 0;
LoginName.MaximumLength = MAX_NDS_NAME_SIZE;
LoginName.Buffer = NdsName;
Status = NdsLookupCredentials( pIrpContext,
&pIrpContext->pScb->NdsTreeName,
pLogon,
&pNdsContext,
CREDENTIAL_READ,
TRUE );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// If the credential list is locked, someone is logging
// out and we have to fail the request.
//
if ( pNdsContext->CredentialLocked ) {
Status = STATUS_DEVICE_BUSY;
NwReleaseCredList( pLogon, pIrpContext );
goto ExitWithCleanup;
}
//
// Fix up the user name.
// ALERT! We are holding the credential list!
//
if ( puUserName && puUserName->Buffer ) {
Status = NdsCanonUserName( pNdsContext,
puUserName,
&LoginName );
if ( !NT_SUCCESS( Status )) {
Status = STATUS_NO_SUCH_USER;
}
} else {
//
// There's no name, so try the default name in the
// current context.
//
if ( pNdsContext->CurrentContext.Length > 0 ) {
//
// Make sure the lengths fit and all that.
//
if ( ( pLogon->UserName.Length +
pNdsContext->CurrentContext.Length ) >= LoginName.MaximumLength ) {
Status = STATUS_INVALID_PARAMETER;
goto NameResolved;
}
RtlCopyMemory( LoginName.Buffer, pLogon->UserName.Buffer, pLogon->UserName.Length );
LoginName.Buffer[pLogon->UserName.Length / sizeof( WCHAR )] = L'.';
RtlCopyMemory( ((BYTE *)LoginName.Buffer) + pLogon->UserName.Length + sizeof( WCHAR ),
pNdsContext->CurrentContext.Buffer,
pNdsContext->CurrentContext.Length );
LoginName.Length = pLogon->UserName.Length +
pNdsContext->CurrentContext.Length +
sizeof( WCHAR );
DebugTrace( 0, Dbg, "Using default name and context for login: %wZ\n", &LoginName );
} else {
Status = STATUS_NO_SUCH_USER;
}
}
NameResolved:
NwReleaseCredList( pLogon, pIrpContext );
//
// RELAX! The credential list is free.
//
if ( !NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "No name in NdsGetCredentials.\n", 0 );
goto ExitWithCleanup;
}
//
// If there's a password, use it. Otherwise, use the default password.
//
if ( puPassword && puPassword->Buffer ) {
LoginPassword.Length = puPassword->Length;
LoginPassword.MaximumLength = puPassword->MaximumLength;
LoginPassword.Buffer = puPassword->Buffer;
} else {
LoginPassword.Length = 0;
LoginPassword.MaximumLength = MAX_PW_CHARS * sizeof( WCHAR );
LoginPassword.Buffer = NdsPassword;
RtlCopyUnicodeString( &LoginPassword,
&pLogon->PassWord );
}
//
// Convert the password to upcase OEM and login.
//
OemPassword.Length = 0;
OemPassword.MaximumLength = MAX_PW_CHARS;
OemPassword.Buffer = OemPassBuffer;
Status = RtlUpcaseUnicodeStringToOemString( &OemPassword,
&LoginPassword,
FALSE );
if ( !NT_SUCCESS( Status )) {
Status = STATUS_WRONG_PASSWORD;
goto ExitWithCleanup;
}
Status = NdsTreeLogin( pIrpContext, &LoginName, &OemPassword, NULL, pLogon );
ExitWithCleanup:
FREE_POOL( NdsName );
return Status;
}
NTSTATUS
DoNdsLogon(
IN PIRP_CONTEXT pIrpContext,
IN PUNICODE_STRING UserName,
IN PUNICODE_STRING Password
)
/*+++
Description:
This is the lead function for handling login and authentication to
Netware Directory Services. This function acquires credentials to
the appropriate tree for the server that the irp context points to,
logging us into that tree if necessary, and authenticates us to the
current server.
This routine gets called from reconnect attempts and from
normal requests. Since the allowable actions on each of these paths
are different, it might make sense to have two routines, each
more maintainable than this single routine. For now, watch out for
code in the RECONNECT_ATTEMPT cases.
Arguments:
pIrpContext - irp context; must refer to appropriate server
UserName - login username
Password - password
--*/
{
NTSTATUS Status;
PLOGON pLogon;
PNDS_SECURITY_CONTEXT pCredentials;
PSCB pScb;
UNICODE_STRING BinderyName;
UNICODE_STRING uUserName;
UNICODE_STRING NtGroup;
USHORT Length;
PSCB pOriginalServer = NULL;
DWORD UserOID;
BOOL AtHeadOfQueue = FALSE;
BOOL HoldingCredentialResource = FALSE;
BOOL PasswordExpired = FALSE;
BOOL LowerIrpHasLock = FALSE;
PIRP_CONTEXT LowerContext;
PAGED_CODE();
//
// Get to the head of the queue if we need to.
//
if ( BooleanFlagOn( pIrpContext->Flags, IRP_FLAG_RECONNECT_ATTEMPT ) ) {
ASSERT( pIrpContext->pNpScb->Requests.Flink == &pIrpContext->NextRequest );
} else {
NwAppendToQueueAndWait( pIrpContext );
}
AtHeadOfQueue = TRUE;
//
// Grab the user's logon structure.
//
pScb = pIrpContext->pScb;
NwAcquireExclusiveRcb( &NwRcb, TRUE );
pLogon = FindUser( &pScb->UserUid, FALSE );
NwReleaseRcb( &NwRcb );
if ( !pLogon ) {
DebugTrace( 0, Dbg, "Invalid client security context.\n", 0 );
Status = STATUS_ACCESS_DENIED;
goto ExitWithCleanup;
}
//
// If this is a reconnect attempt, check to see if the IRP_CONTEXT
// below us has the credential list lock
//
if (BooleanFlagOn( pIrpContext->Flags, IRP_FLAG_RECONNECT_ATTEMPT ) ) {
LowerContext = CONTAINING_RECORD( pIrpContext->NextRequest.Flink,
IRP_CONTEXT,
NextRequest );
//
// We cannot be the last IRP_CONTEXT on this queue
//
ASSERT (LowerContext != pIrpContext);
if (BooleanFlagOn ( LowerContext->Flags, IRP_FLAG_HAS_CREDENTIAL_LOCK ) ) {
LowerIrpHasLock = TRUE;
}
}
//
// Login and then re-get the tree credentials.
//
if (BooleanFlagOn( pIrpContext->Flags, IRP_FLAG_RECONNECT_ATTEMPT)) {
Status = NdsLookupCredentials2 ( pIrpContext,
&pScb->NdsTreeName,
pLogon,
&pCredentials,
LowerIrpHasLock );
}
else
{
Status = NdsLookupCredentials( pIrpContext,
&pScb->NdsTreeName,
pLogon,
&pCredentials,
CREDENTIAL_READ,
FALSE );
}
if ( !NT_SUCCESS( Status ) ) {
HoldingCredentialResource = FALSE;
goto LOGIN;
}
HoldingCredentialResource = TRUE;
//
// Are we logged in? We can't hold the
// credential list while logging in!!
//
if ( !pCredentials->Credential ) {
HoldingCredentialResource = FALSE;
//
// We should release the credential resource only if the lower IRP
// context does not have the lock implying that we have the lock.
//
if (!LowerIrpHasLock) {
NwReleaseCredList( pLogon, pIrpContext );
}
goto LOGIN;
}
//
// If this credential is locked, we fail!
//
if ( pCredentials->CredentialLocked ) {
Status = STATUS_DEVICE_BUSY;
goto ExitWithCleanup;
}
Status = NdsCheckCredentialsEx( pIrpContext,
pLogon,
pCredentials,
UserName,
Password );
if( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
goto AUTHENTICATE;
LOGIN:
ASSERT( HoldingCredentialResource == FALSE );
//
// If this is a reconnect attempt and we don't have credentials
// already, we have to give up. We can't acquire credentials
// during a reconnect and retry because it could cause a deadlock.
//
if ( BooleanFlagOn( pIrpContext->Flags, IRP_FLAG_RECONNECT_ATTEMPT ) ) {
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
Status = NdsGetCredentials( pIrpContext,
pLogon,
UserName,
Password );
if ( !NT_SUCCESS( Status )) {
goto ExitWithCleanup;
}
//
// NdsGetCredentials can take us off the head of the queue. So, we need
// to get back to the head of the queue before we do anything else.
//
if (pIrpContext->pNpScb->Requests.Flink != &pIrpContext->NextRequest) {
NwAppendToQueueAndWait ( pIrpContext );
}
if ( Status == NWRDR_PASSWORD_HAS_EXPIRED ) {
PasswordExpired = TRUE;
}
Status = NdsLookupCredentials( pIrpContext,
&pScb->NdsTreeName,
pLogon,
&pCredentials,
CREDENTIAL_READ,
FALSE );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// If this credential is locked, someone is
// already logging out and so we fail this.
//
if ( pCredentials->CredentialLocked ) {
Status = STATUS_DEVICE_BUSY;
if (!LowerIrpHasLock) {
NwReleaseCredList( pLogon, pIrpContext );
}
goto ExitWithCleanup;
}
HoldingCredentialResource = TRUE;
AUTHENTICATE:
ASSERT( HoldingCredentialResource == TRUE );
ASSERT( AtHeadOfQueue == TRUE );
//
// Ensure that you are indeed at the head of the queue.
//
ASSERT( pIrpContext->pNpScb->Requests.Flink == &pIrpContext->NextRequest );
//
// NdsServerAuthenticate will not take us off the
// head of the queue since this is not allowed.
//
Status = NdsServerAuthenticate( pIrpContext, pCredentials );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
if (!LowerIrpHasLock) {
NwReleaseCredList( pLogon, pIrpContext );
}
HoldingCredentialResource = FALSE;
//
// If this is a gateway request and is not a reconnect attempt, we
// need to check the group membership.
//
if ( pIrpContext->Specific.Create.UserUid.QuadPart == DefaultLuid.QuadPart) {
if ( !BooleanFlagOn( pIrpContext->Flags, IRP_FLAG_RECONNECT_ATTEMPT ) ) {
NwDequeueIrpContext( pIrpContext, FALSE );
AtHeadOfQueue = FALSE;
//
// Resolve the name, allowing a server jump if necessary.
//
pOriginalServer = pIrpContext->pScb;
NwReferenceScb( pOriginalServer->pNpScb );
uUserName.MaximumLength = pCredentials->Credential->userNameLength;
uUserName.Length = uUserName.MaximumLength;
uUserName.Buffer = ( WCHAR * ) ( ((BYTE *)pCredentials->Credential) +
sizeof( NDS_CREDENTIAL ) +
pCredentials->Credential->optDataSize );
Status = NdsResolveNameKm( pIrpContext,
&uUserName,
&UserOID,
TRUE,
DEFAULT_RESOLVE_FLAGS );
if ( NT_SUCCESS(Status) ) {
RtlInitUnicodeString( &NtGroup, NT_GATEWAY_GROUP );
Status = NdsCheckGroupMembership( pIrpContext, UserOID, &NtGroup );
if ( !NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "Gateway connection to NDS server not allowed.\n", 0 );
Status = STATUS_ACCESS_DENIED;
}
}
//
// Take us off the head of the queue in case were were left there.
//
NwDequeueIrpContext( pIrpContext, FALSE );
//
// Restore us to the server that we authenticated to so that
// the irp context refers to the authenticated server.
//
if ( pOriginalServer != NULL ) {
NwDereferenceScb( pIrpContext->pNpScb );
if ( pIrpContext->pScb != pOriginalServer ) {
pIrpContext->pScb = pOriginalServer;
pIrpContext->pNpScb = pOriginalServer->pNpScb;
}
}
}
}
ExitWithCleanup:
if (( HoldingCredentialResource )&& (!LowerIrpHasLock)) {
NwReleaseCredList( pLogon, pIrpContext );
}
if ( AtHeadOfQueue ) {
//
// If we failed and this was a reconnect attempt, don't dequeue the
// irp context or we may deadlock when we try to do the bindery logon.
// See ReconnectRetry() for more information on this restriction.
//
if ( !BooleanFlagOn( pIrpContext->Flags, IRP_FLAG_RECONNECT_ATTEMPT ) ) {
NwDequeueIrpContext( pIrpContext, FALSE );
}
}
if ( ( NT_SUCCESS( Status ) ) &&
( PasswordExpired ) ) {
Status = NWRDR_PASSWORD_HAS_EXPIRED;
}
DebugTrace( 0, Dbg, "DoNdsLogin: Status = %08lx\n", Status );
return Status;
}
NTSTATUS
NdsTreeLogin(
IN PIRP_CONTEXT pIrpContext,
IN PUNICODE_STRING puUser,
IN POEM_STRING pOemPassword,
IN POEM_STRING pOemNewPassword,
IN PLOGON pUserLogon
)
/*++
Routine Description:
Login the specified user to the NDS tree at the server referred
to by the given IrpContext using the supplied password.
Arguments:
pIrpContext - The irp context for this server connection.
puUser - The user login name.
pOemPassword - The upper-case, plaintext password.
pOemNewPassword - The new password for a change pass request.
pUserLogon - The LOGON security structure for this user,
which may be NULL for a change password
request.
Side Effects:
If successful, the user's credentials, signature, and
public key are saved in the nds context for this NDS tree
in the credential list in the LOGON structure.
Notes:
This function may have to jump around a few servers to
get all the info needed for login. If restores the irp
context to the original server so that when we authenticate,
we authenticate to the correct server (as requested by the
user).
--*/
{
NTSTATUS Status; // status of the operation
int CryptStatus; // crypt status
DWORD dwChallenge; // four byte server challenge
PUNICODE_STRING puServerName; // server's distinguished name
DWORD dwUserOID, // user oid on the current server
dwSrcUserOID, // user oid on the originating server
dwServerOID; // server oid
BYTE *pbServerPublicNdsKey, // server's public key in NDS format
*pbServerPublicBsafeKey; // server's public BSAFE key
int cbServerPublicNdsKeyLen, // length of server public NDS key
cbServerPublicBsafeKeyLen; // length of server pubilc BSAFE key
BYTE *pbUserPrivateNdsKey, // user's private key in NDS format
*pbUserPrivateBsafeKey; // user's private BSAFE key
int cbUserPrivateNdsKeyLen; // length of user private NDS key
WORD cbUserPrivateBsafeKeyLen; // length of user private BSAFE key
BYTE pbNw3PasswdHash[16]; // nw3 passwd hash
BYTE pbNewPasswdHash[16]; // new passwd hash for change pass
BYTE pbPasswdHashRC2Key[8]; // RC2 secret key generated from hash
BYTE pbEncryptedChallenge[16]; // RC2 encrypted server challenge
int cbEncryptedChallengeLen; // length of the encrypted challenge
PNDS_SECURITY_CONTEXT psNdsSecurityContext; // user's nds context
BYTE *pbSignData; // user's signature data
UNICODE_STRING uUserDN; // users fully distinguished name
PWCHAR UserDnBuffer;
DWORD dwValidityStart, dwValidityEnd;
BOOLEAN AtHeadOfQueue = FALSE;
BOOLEAN HoldingCredResource = FALSE;
BOOLEAN PasswordExpired = FALSE;
UNICODE_STRING PlainServerName;
USHORT UidLen;
KIRQL OldIrql;
PSCB pLoginServer = NULL;
PSCB pOriginalServer = NULL;
DWORD dwLoginFlags = 0;
DebugTrace( 0, Dbg, "Enter NdsTreeLogin...\n", 0 );
ASSERT( pIrpContext->pNpScb->Requests.Flink == &pIrpContext->NextRequest );
ASSERT( puUser );
ASSERT( pOemPassword );
//
// Allocate space for the server's public key and the user's private key.
//
cbServerPublicNdsKeyLen = MAX_PUBLIC_KEY_LEN + MAX_ENC_PRIV_KEY_LEN + MAX_NDS_NAME_SIZE;
pbServerPublicNdsKey = ALLOCATE_POOL( PagedPool, cbServerPublicNdsKeyLen );
if ( !pbServerPublicNdsKey ) {
DebugTrace( 0, Dbg, "Out of memory in NdsTreeLogin...\n", 0 );
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// First, jump to a server where we can get this user object.
// Don't forget the server to which we were originally pointed.
//
pOriginalServer = pIrpContext->pScb;
NwReferenceScb( pOriginalServer->pNpScb );
Status = NdsResolveNameKm( pIrpContext,
puUser,
&dwUserOID,
TRUE,
DEFAULT_RESOLVE_FLAGS );
if ( !NT_SUCCESS( Status ) ) {
if ( Status == STATUS_BAD_NETWORK_PATH ) {
Status = STATUS_NO_SUCH_USER;
}
goto ExitWithCleanup;
}
//
// Now get the user name from the object info.
//
UserDnBuffer = (PWCHAR) ( pbServerPublicNdsKey +
MAX_PUBLIC_KEY_LEN +
MAX_ENC_PRIV_KEY_LEN );
uUserDN.Length = 0;
uUserDN.MaximumLength = MAX_NDS_NAME_SIZE;
uUserDN.Buffer = UserDnBuffer;
Status = NdsGetUserName( pIrpContext,
dwUserOID,
&uUserDN );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// Get the name of the server we are currently on. We borrow a
// little space from our key buffer and overwrite it later.
//
puServerName = ( PUNICODE_STRING ) pbServerPublicNdsKey;
puServerName->Buffer = (PWCHAR) pbServerPublicNdsKey + sizeof( UNICODE_STRING );
puServerName->MaximumLength = (USHORT) cbServerPublicNdsKeyLen - sizeof( UNICODE_STRING );
Status = NdsGetServerName( pIrpContext,
puServerName );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// If the public key for this server is on a partition that's
// on another server, we'll have to jump over there to get the
// public key and then return. The key and user object are
// only any good on this server! DO NOT CHANGE THE ORDER OF
// THIS OR IT WILL BREAK!
//
pLoginServer = pIrpContext->pScb;
NwReferenceScb( pLoginServer->pNpScb );
Status = NdsResolveNameKm( pIrpContext,
puServerName,
&dwServerOID,
TRUE,
DEFAULT_RESOLVE_FLAGS );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// Get the server's public key and its length.
//
Status = NdsReadPublicKey( pIrpContext,
dwServerOID,
pbServerPublicNdsKey,
&cbServerPublicNdsKeyLen );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// Return us to the login server.
//
if ( pLoginServer != pIrpContext->pScb ) {
NwDequeueIrpContext( pIrpContext, FALSE );
NwDereferenceScb( pIrpContext->pNpScb );
pIrpContext->pScb = pLoginServer;
pIrpContext->pNpScb = pLoginServer->pNpScb;
} else {
NwDereferenceScb( pLoginServer->pNpScb );
}
pLoginServer = NULL;
//
// Locate the BSAFE key in the NDS key.
//
cbServerPublicBsafeKeyLen = NdsGetBsafeKey( pbServerPublicNdsKey,
cbServerPublicNdsKeyLen,
&pbServerPublicBsafeKey );
if ( !cbServerPublicBsafeKeyLen ) {
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Send the begin login packet. This returns to us the
// 4 byte challenge and the object id of the user's account
// on the server on which it was created. It may be the
// same as the object id that we provided if the account
// was created on this server.
//
Status = BeginLogin( pIrpContext,
dwUserOID,
&dwSrcUserOID,
&dwChallenge );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// Compute the 16 byte NW3 hash and generate the
// 8 byte secret key from it. The 8 byte secret
// key consists of a MAC checksum of the NW3 hash.
//
Shuffle( (UCHAR *)&dwSrcUserOID,
pOemPassword->Buffer,
pOemPassword->Length,
pbNw3PasswdHash );
GenKey8( pbNw3PasswdHash,
sizeof( pbNw3PasswdHash ),
pbPasswdHashRC2Key );
//
// RC2 Encrypt the 4 byte challenge using the secret
// key generated from the password.
//
CryptStatus = CBCEncrypt( pbPasswdHashRC2Key,
NULL,
(BYTE *)&dwChallenge,
4,
pbEncryptedChallenge,
&cbEncryptedChallengeLen,
BSAFE_CHECKSUM_LEN );
if ( CryptStatus ) {
DebugTrace( 0, Dbg, "CBC encryption failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
pbUserPrivateNdsKey = pbServerPublicNdsKey + MAX_PUBLIC_KEY_LEN;
cbUserPrivateNdsKeyLen = MAX_ENC_PRIV_KEY_LEN;
//
// Make the finish login packet. If successful, this routine
// returns the encrypted user private key and the valid duration
// of the user's credentials.
//
if ( pOemNewPassword ) {
dwLoginFlags = 1;
}
Status = FinishLogin( pIrpContext,
dwUserOID,
dwLoginFlags,
pbEncryptedChallenge,
pbServerPublicBsafeKey,
cbServerPublicBsafeKeyLen,
pbUserPrivateNdsKey,
&cbUserPrivateNdsKeyLen,
&dwValidityStart,
&dwValidityEnd );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
if ( !pOemNewPassword ) {
//
// If the password is expired, report it to the user.
//
if ( Status == NWRDR_PASSWORD_HAS_EXPIRED ) {
PasswordExpired = TRUE;
}
//
// Allocate the credential and set up space for the private key.
//
NwAppendToQueueAndWait( pIrpContext );
AtHeadOfQueue = TRUE;
Status = NdsLookupCredentials( pIrpContext,
&pIrpContext->pScb->NdsTreeName,
pUserLogon,
&psNdsSecurityContext,
CREDENTIAL_WRITE,
TRUE );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// ALERT! We are holding the credential list.
//
HoldingCredResource = TRUE;
psNdsSecurityContext->Credential = ALLOCATE_POOL( PagedPool,
sizeof( NDS_CREDENTIAL ) +
uUserDN.Length );
if ( !psNdsSecurityContext->Credential ) {
DebugTrace( 0, Dbg, "Out of memory in NdsTreeLogin (for credential)...\n", 0 );
Status = STATUS_INSUFFICIENT_RESOURCES;
goto ExitWithCleanup;
}
*( (UNALIGNED DWORD *) &( psNdsSecurityContext->Credential->validityBegin ) ) = dwValidityStart;
*( (UNALIGNED DWORD *) &( psNdsSecurityContext->Credential->validityEnd ) ) = dwValidityEnd;
DebugTrace( 0, Dbg, "Credential validity start: 0x%08lx\n", dwValidityStart );
DebugTrace( 0, Dbg, "Credential validity end: 0x%08lx\n", dwValidityEnd );
//
// RC2 Decrypt the response to extract the BSAFE private
// key data in place.
//
CryptStatus = CBCDecrypt( pbPasswdHashRC2Key,
NULL,
pbUserPrivateNdsKey,
cbUserPrivateNdsKeyLen,
pbUserPrivateNdsKey,
&cbUserPrivateNdsKeyLen,
BSAFE_CHECKSUM_LEN );
if ( CryptStatus ) {
DebugTrace( 0, Dbg, "CBC decryption failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Skip over the header.
//
pbUserPrivateBsafeKey = ( pbUserPrivateNdsKey + sizeof( TAG_DATA_HEADER ) );
cbUserPrivateBsafeKeyLen = *( ( WORD * ) pbUserPrivateBsafeKey );
pbUserPrivateBsafeKey += sizeof( WORD );
//
// Create the credential.
//
psNdsSecurityContext->Credential->tdh.version = 1;
psNdsSecurityContext->Credential->tdh.tag = TAG_CREDENTIAL;
GenRandomBytes( ( BYTE * ) &(psNdsSecurityContext->Credential->random),
sizeof( psNdsSecurityContext->Credential->random ) );
psNdsSecurityContext->Credential->optDataSize = 0;
psNdsSecurityContext->Credential->userNameLength = uUserDN.Length;
RtlCopyMemory( ( (BYTE *)psNdsSecurityContext->Credential) + sizeof( NDS_CREDENTIAL ),
UserDnBuffer,
uUserDN.Length );
//
// Generate and save the signature.
//
psNdsSecurityContext->Signature = ALLOCATE_POOL( PagedPool, MAX_SIGNATURE_LEN );
if ( !psNdsSecurityContext->Signature ) {
DebugTrace( 0, Dbg, "Out of memory in NdsTreeLogin (for signature)...\n", 0 );
Status = STATUS_INSUFFICIENT_RESOURCES;
goto ExitWithCleanup;
}
pbSignData = ( ( ( BYTE * ) psNdsSecurityContext->Signature ) +
sizeof( NDS_SIGNATURE ) );
RtlZeroMemory( pbSignData, MAX_RSA_BYTES );
psNdsSecurityContext->Signature->tdh.version = 1;
psNdsSecurityContext->Signature->tdh.tag = TAG_SIGNATURE;
//
// Create the hash for the signature from the credential.
//
MD2( (BYTE *) psNdsSecurityContext->Credential,
sizeof( NDS_CREDENTIAL ) + ( uUserDN.Length ),
pbSignData );
//
// Compute the 'signature' by RSA-encrypting the
// 16-byte signature hash with the private key.
//
psNdsSecurityContext->Signature->signDataLength = (WORD) RSAPrivate( pbUserPrivateBsafeKey,
cbUserPrivateBsafeKeyLen,
pbSignData,
16,
pbSignData );
if ( !psNdsSecurityContext->Signature->signDataLength ) {
DebugTrace( 0, Dbg, "RSA private encryption for signature failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Round up the signature length, cause that's how VLM stores it.
//
psNdsSecurityContext->Signature->signDataLength =
ROUNDUP4( psNdsSecurityContext->Signature->signDataLength );
DebugTrace( 0, Dbg, "Signature data length: %d\n",
psNdsSecurityContext->Signature->signDataLength );
//
// Get the user's public key for storage in the nds context.
//
psNdsSecurityContext->PublicNdsKey = ALLOCATE_POOL( PagedPool, MAX_PUBLIC_KEY_LEN );
if ( !psNdsSecurityContext->PublicNdsKey ) {
DebugTrace( 0, Dbg, "Out of memory in NdsTreeLogin (for public key)...\n", 0 );
Status = STATUS_INSUFFICIENT_RESOURCES;
goto ExitWithCleanup;
}
psNdsSecurityContext->PublicKeyLen = MAX_PUBLIC_KEY_LEN;
ASSERT( AtHeadOfQueue );
ASSERT( HoldingCredResource );
Status = NdsReadPublicKey( pIrpContext,
dwUserOID,
psNdsSecurityContext->PublicNdsKey,
&(psNdsSecurityContext->PublicKeyLen) );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// Store away the password we used to connect.
//
if (pOemPassword->Length != 0) {
psNdsSecurityContext->Password.Buffer = ALLOCATE_POOL( NonPagedPool, pOemPassword->Length );
if ( !psNdsSecurityContext->Password.Buffer ) {
DebugTrace( 0, Dbg, "Out of memory in NdsTreeLogin (for password)\n", 0 );
Status = STATUS_INSUFFICIENT_RESOURCES;
goto ExitWithCleanup;
}
RtlCopyMemory( psNdsSecurityContext->Password.Buffer,
pOemPassword->Buffer,
pOemPassword->Length );
}
psNdsSecurityContext->Password.Length = pOemPassword->Length;
psNdsSecurityContext->Password.MaximumLength = pOemPassword->Length;
//
// We are logged in to the NDS tree. Should we zero the private
// key, or is NT's protection sufficient?
//
NwReleaseCredList( pUserLogon, pIrpContext );
//
// Try to elect this server as the preferred server if necessary.
//
NwAcquireExclusiveRcb( &NwRcb, TRUE );
if ( ( pUserLogon->ServerName.Length == 0 ) &&
( !pIrpContext->Specific.Create.fExCredentialCreate ) ) {
//
// Strip off the unicode uid from the server name.
//
PlainServerName.Length = pIrpContext->pScb->UidServerName.Length;
PlainServerName.Buffer = pIrpContext->pScb->UidServerName.Buffer;
UidLen = 0;
while ( UidLen < ( PlainServerName.Length / sizeof( WCHAR ) ) ) {
if ( PlainServerName.Buffer[UidLen++] == L'\\' ) {
break;
}
}
PlainServerName.Buffer += UidLen;
PlainServerName.Length -= ( UidLen * sizeof( WCHAR ) );
PlainServerName.MaximumLength = PlainServerName.Length;
if ( PlainServerName.Length ) {
Status = SetUnicodeString( &(pUserLogon->ServerName),
PlainServerName.Length,
PlainServerName.Buffer );
if ( NT_SUCCESS( Status ) ) {
PLIST_ENTRY pTemp;
DebugTrace( 0, Dbg, "Electing preferred server: %wZ\n", &PlainServerName );
//
// Increase the Scb ref count, set the preferred server
// flag, and move the scb to the head of the SCB list.
//
// If this is already an elected preferred
// server, don't mess up the ref count!
//
if ( !(pIrpContext->pScb->PreferredServer) ) {
NwReferenceScb( pIrpContext->pScb->pNpScb );
pIrpContext->pScb->PreferredServer = TRUE;
}
pTemp = &(pIrpContext->pScb->pNpScb->ScbLinks);
KeAcquireSpinLock( &ScbSpinLock, &OldIrql );
RemoveEntryList( pTemp );
InsertHeadList( &ScbQueue, pTemp );
KeReleaseSpinLock(&ScbSpinLock, OldIrql);
}
}
}
} else {
//
// This isn't a login, but a change password request.
//
// First we have to RC2 Decrypt the response to extract
// the BSAFE private key data in place (just like for a
// login).
//
CryptStatus = CBCDecrypt( pbPasswdHashRC2Key,
NULL,
pbUserPrivateNdsKey,
cbUserPrivateNdsKeyLen,
pbUserPrivateNdsKey,
&cbUserPrivateNdsKeyLen,
BSAFE_CHECKSUM_LEN );
if ( CryptStatus ) {
DebugTrace( 0, Dbg, "CBC decryption failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Now, compute the hash of the new password.
//
Shuffle( (UCHAR *)&dwSrcUserOID,
pOemNewPassword->Buffer,
pOemNewPassword->Length,
pbNewPasswdHash );
//
// And finally, make the request.
//
Status = ChangeNdsPassword( pIrpContext,
dwUserOID,
dwChallenge,
pbNw3PasswdHash,
pbNewPasswdHash,
( PNDS_PRIVATE_KEY ) pbUserPrivateNdsKey,
pbServerPublicBsafeKey,
cbServerPublicBsafeKeyLen,
pOemNewPassword->Length );
if ( !NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "Change NDS password failed!\n", 0 );
goto ExitWithCleanup;
}
}
//
// Return us to our original server if we've jumped around.
//
NwDequeueIrpContext( pIrpContext, FALSE );
if ( pIrpContext->pScb != pOriginalServer ) {
NwDereferenceScb( pIrpContext->pNpScb );
pIrpContext->pScb = pOriginalServer;
pIrpContext->pNpScb = pOriginalServer->pNpScb;
} else {
NwDereferenceScb( pOriginalServer->pNpScb );
}
pOriginalServer = NULL;
if ( !pOemNewPassword ) {
NwReleaseRcb( &NwRcb );
}
FREE_POOL( pbServerPublicNdsKey );
if ( PasswordExpired ) {
Status = NWRDR_PASSWORD_HAS_EXPIRED;
} else {
Status = STATUS_SUCCESS;
}
return Status;
ExitWithCleanup:
DebugTrace( 0, Dbg, "NdsTreeLogin seems to have failed... cleaning up.\n", 0 );
FREE_POOL( pbServerPublicNdsKey );
if ( pLoginServer ) {
NwDereferenceScb( pLoginServer->pNpScb );
}
//
// If we failed after jumping servers, we have to restore
// the irp context to the original server.
//
NwDequeueIrpContext( pIrpContext, FALSE );
if ( pOriginalServer ) {
if ( pIrpContext->pScb != pOriginalServer ) {
NwDereferenceScb( pIrpContext->pNpScb );
pIrpContext->pScb = pOriginalServer;
pIrpContext->pNpScb = pOriginalServer->pNpScb;
} else {
NwDereferenceScb( pOriginalServer->pNpScb );
}
}
if ( HoldingCredResource ) {
if ( psNdsSecurityContext->Credential ) {
FREE_POOL( psNdsSecurityContext->Credential );
psNdsSecurityContext->Credential = NULL;
}
if ( psNdsSecurityContext->Signature ) {
FREE_POOL( psNdsSecurityContext->Signature );
psNdsSecurityContext->Signature = NULL;
}
if ( psNdsSecurityContext->PublicNdsKey ) {
FREE_POOL( psNdsSecurityContext->PublicNdsKey );
psNdsSecurityContext->PublicNdsKey = NULL;
psNdsSecurityContext->PublicKeyLen = 0;
}
NwReleaseCredList( pUserLogon, pIrpContext );
}
return Status;
}
NTSTATUS
BeginLogin(
IN PIRP_CONTEXT pIrpContext,
IN DWORD userId,
OUT DWORD *loginId,
OUT DWORD *challenge
)
/*++
Routine Desription:
Begin the NDS login process. The loginId returned is objectId of the user
on the server which created the account (may not be the current server).
Arguments:
pIrpContext - The IRP context for this connection.
userId - The user's NDS object Id.
loginId - The objectId used to encrypt password.
challenge - The 4 byte random challenge.
Return value:
NTSTATUS - The result of the operation.
--*/
{
NTSTATUS Status;
LOCKED_BUFFER NdsRequest;
PAGED_CODE();
DebugTrace( 0, Dbg, "Enter BeginLogin...\n", 0 );
Status = NdsAllocateLockedBuffer( &NdsRequest, NDS_BUFFER_SIZE );
if ( !NT_SUCCESS( Status ) ) {
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Announce myself.
//
Status = FragExWithWait( pIrpContext,
NDSV_BEGIN_LOGIN,
&NdsRequest,
"DD",
0,
userId );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
Status = NdsCompletionCodetoNtStatus( &NdsRequest );
if ( !NT_SUCCESS( Status ) ) {
if ( Status == STATUS_BAD_NETWORK_PATH ) {
Status = STATUS_NO_SUCH_USER;
}
goto ExitWithCleanup;
}
//
// Get the object id and the challenge string.
//
Status = ParseResponse( NULL,
NdsRequest.pRecvBufferVa,
NdsRequest.dwBytesWritten,
"G_DD",
sizeof( DWORD ),
loginId,
challenge );
if ( NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "Login 4 byte challenge: 0x%08lx\n", *challenge );
} else {
DebugTrace( 0, Dbg, "Begin login failed...\n", 0 );
}
ExitWithCleanup:
NdsFreeLockedBuffer( &NdsRequest );
return Status;
}
NTSTATUS
FinishLogin(
IN PIRP_CONTEXT pIrpContext,
IN DWORD dwUserOID,
IN DWORD dwLoginFlags,
IN BYTE pbEncryptedChallenge[16],
IN BYTE *pbServerPublicBsafeKey,
IN int cbServerPublicBsafeKeyLen,
OUT BYTE *pbUserEncPrivateNdsKey,
OUT int *pcbUserEncPrivateNdsKeyLen,
OUT DWORD *pdwCredentialStartTime,
OUT DWORD *pdwCredentialEndTime
)
/*++
Routine Description:
Constructs and sends the Finish Login request to the server.
Arguments:
pIrpContext - (IN) IRP context for this request
dwUserOID - (IN) user's NDS object Id
pbEncryptedChallenge - (IN) RC2 encrypted challenge
pbServerPublicBsafeKey - (IN) server public bsafe key
cbServerPublicBsafeKeyLen - (IN) length of server public key
pbUserEncPrivateNdsKey - (OUT) user's encrypted private nds key
pcbUserEncPrivateNdsKeyLen - (OUT) length of pbUserEncPrivateNdsKey
pdwCredentialStartTime - (OUT) validity start time for credentials
pdwCredentialEndTime - (OUT) validity end time for credentials
--*/
{
NTSTATUS Status;
const USHORT cbEncryptedChallengeLen = 16;
int LOG_DATA_POOL_SIZE, // pool sizes for our allocation call
PACKET_POOL_SIZE,
RESP_POOL_SIZE;
BYTE *pbRandomBytes; // random bytes used in crypto routines
BYTE RandRC2SecretKey[RC2_KEY_LEN]; // random RC2 key generated from above
BYTE pbEncryptedChallengeKey[RC2_KEY_LEN]; // RC2 key that will decode the response
NDS_RAND_BYTE_BLOCK *psRandByteBlock;
ENC_BLOCK_HDR *pbEncRandSeedHead; // header for encrypted random RC2 key seed
BYTE *pbEncRandSeed; // encrypted random seed
int cbPackedRandSeedLen; // length of the packed rand seed bytes
ENC_BLOCK_HDR *pbEncChallengeHead; // header for encrypted challenge
ENC_BLOCK_HDR *pbEncLogDataHead; // header for encrypted login data
BYTE *pbEncLogData; // encrypted login data
int cbEncLogDataLen; // length of the encrypted login data
ENC_BLOCK_HDR *pbEncServerRespHead; // header for encrypted response
BYTE *pbEncServerResp; // encrypted response
int CryptStatus, // crypt call status
CryptLen, // length of encrypted data
RequestPacketLen, // length of the request packet data
cbServerRespLen; // server response length after decryption
BYTE *pbServerResponse; // response from the server
DWORD cbEncServerRespLen; // server response length before decryption
DWORD EncKeyLen; // length of the encrypted private key
ENC_BLOCK_HDR *pbPrivKeyHead; // encryption header of the private key
LOCKED_BUFFER NdsRequest; // fragex locked buffer
BOOL PasswordExpired = FALSE;
PAGED_CODE();
DebugTrace( 0, Dbg, "Enter FinishLogin...\n", 0 );
//
// Allocate working space. The login data pool starts at
// pbRandomBytes. The packet data starts at pbEncRandSeedHead.
// The server response pool starts at pbServerResponse.
//
//
// The alignment of these structures may possibly be wrong on
// quad aligned machines; check out a hardware independent fix.
//
LOG_DATA_POOL_SIZE = RAND_KEY_DATA_LEN + // 28 bytes for random seed
sizeof ( NDS_RAND_BYTE_BLOCK ) + // login data random header
sizeof ( ENC_BLOCK_HDR ) + // header for encrypted challenge
cbEncryptedChallengeLen + // data for encrypted challenge
8; // padding
LOG_DATA_POOL_SIZE = ROUNDUP4( LOG_DATA_POOL_SIZE );
PACKET_POOL_SIZE = 2048; // packet buffer size
RESP_POOL_SIZE = 2048; // packet buffer size
pbRandomBytes = ALLOCATE_POOL( PagedPool,
LOG_DATA_POOL_SIZE +
PACKET_POOL_SIZE +
RESP_POOL_SIZE );
if ( !pbRandomBytes ) {
DebugTrace( 0, Dbg, "Out of memory in FinishLogin (main block)...\n", 0 );
return STATUS_INSUFFICIENT_RESOURCES;
}
pbEncRandSeedHead = ( PENC_BLOCK_HDR ) ( pbRandomBytes + LOG_DATA_POOL_SIZE );
pbServerResponse = ( pbRandomBytes + LOG_DATA_POOL_SIZE + PACKET_POOL_SIZE );
//
// Start working on the login data. As is common in the crypto world, we
// generate a random seed and then make a key from it to be used with a
// bulk cipher algorithm. In Netware land, we use MAC to make an 8 byte
// key from the random seed and use 64bit RC2 as our bulk cipher. We then
// RSA encrypt the seed using the server's public RSA key and use the bulk
// cipher to encrypt the rest of our login data.
//
// Since Novell uses 64bit RC2, the security isn't great.
//
GenRandomBytes( pbRandomBytes, RAND_KEY_DATA_LEN );
GenKey8( pbRandomBytes, RAND_KEY_DATA_LEN, RandRC2SecretKey );
//
// Now work on the actual packet data. Create the header for the
// encrypted random seed and pack the seed into it.
//
pbEncRandSeed = ( ( BYTE * )pbEncRandSeedHead ) + sizeof( ENC_BLOCK_HDR );
pbEncRandSeedHead->cipherLength = (WORD) RSAGetInputBlockSize( pbServerPublicBsafeKey,
cbServerPublicBsafeKeyLen );
cbPackedRandSeedLen = RSAPack( pbRandomBytes,
RAND_KEY_DATA_LEN,
pbEncRandSeed,
pbEncRandSeedHead->cipherLength );
//
// We should have packed exactly one block.
//
if( cbPackedRandSeedLen != pbEncRandSeedHead->cipherLength ) {
DebugTrace( 0, Dbg, "RSAPack didn't pack exactly one block!\n", 0 );
}
pbEncRandSeedHead->cipherLength = (WORD) RSAPublic( pbServerPublicBsafeKey,
cbServerPublicBsafeKeyLen,
pbEncRandSeed,
pbEncRandSeedHead->cipherLength,
pbEncRandSeed );
if ( !pbEncRandSeedHead->cipherLength ) {
DebugTrace( 0, Dbg, "Failing in FinishLogin... encryption failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Fill in the rest of the header for the random seed. We don't count
// the first DWORD in the EBH; it isn't part of the header as netware
// wants it, per se.
//
pbEncRandSeedHead->blockLength = pbEncRandSeedHead->cipherLength +
sizeof( ENC_BLOCK_HDR ) -
sizeof( DWORD );
pbEncRandSeedHead->version = 1;
pbEncRandSeedHead->encType = ENC_TYPE_RSA_PUBLIC;
pbEncRandSeedHead->dataLength = RAND_KEY_DATA_LEN;
//
// Go back to working on the login data. Fill out the rbb.
//
psRandByteBlock = ( PNDS_RAND_BYTE_BLOCK ) ( pbRandomBytes + RAND_KEY_DATA_LEN );
GenRandomBytes( (BYTE *) &psRandByteBlock->rand1, 4 );
psRandByteBlock->rand2Len = RAND_FL_DATA_LEN;
GenRandomBytes( (BYTE *) &psRandByteBlock->rand2[0], RAND_FL_DATA_LEN );
//
// Fill out the header for the encrypted challenge right after the rbb.
//
pbEncChallengeHead = (ENC_BLOCK_HDR *) ( ((BYTE *)psRandByteBlock) +
sizeof( NDS_RAND_BYTE_BLOCK ) );
pbEncChallengeHead->version = 1;
pbEncChallengeHead->encType = ENC_TYPE_RC2_CBC;
pbEncChallengeHead->dataLength = 4;
pbEncChallengeHead->cipherLength = cbEncryptedChallengeLen;
pbEncChallengeHead->blockLength = cbEncryptedChallengeLen +
sizeof( ENC_BLOCK_HDR ) -
sizeof( DWORD );
//
// Place the encrypted challenge immediately after its header.
//
RtlCopyMemory( (BYTE *)( ((BYTE *)pbEncChallengeHead) +
sizeof( ENC_BLOCK_HDR )),
pbEncryptedChallenge,
cbEncryptedChallengeLen );
//
// Prepare the RC2 key to decrypt FinishLogin response.
//
GenKey8( (BYTE *)( &pbEncChallengeHead->version ),
pbEncChallengeHead->blockLength,
pbEncryptedChallengeKey );
//
// Finish up the packet data by preparing the login data. Start
// with the encryption header.
//
pbEncLogDataHead = ( PENC_BLOCK_HDR ) ( pbEncRandSeed +
ROUNDUP4( pbEncRandSeedHead->cipherLength ) );
pbEncLogData = ( ( BYTE * )pbEncLogDataHead ) + sizeof( ENC_BLOCK_HDR );
pbEncLogDataHead->version = 1;
pbEncLogDataHead->encType = ENC_TYPE_RC2_CBC;
pbEncLogDataHead->dataLength = sizeof( NDS_RAND_BYTE_BLOCK ) +
sizeof( ENC_BLOCK_HDR ) +
cbEncryptedChallengeLen;
//
// Sanity check the packet pool for overflow.
//
if ( ( pbEncLogData + pbEncLogDataHead->dataLength + ( 2 * CIPHERBLOCKSIZE ) ) -
(BYTE *) pbEncRandSeedHead > PACKET_POOL_SIZE ) {
DebugTrace( 0, Dbg, "Packet pool overflow... I'd better fix this.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Encrypt the login data.
//
CryptStatus = CBCEncrypt( RandRC2SecretKey,
NULL,
(BYTE *)psRandByteBlock,
pbEncLogDataHead->dataLength,
pbEncLogData,
&CryptLen,
BSAFE_CHECKSUM_LEN );
if ( CryptStatus ) {
DebugTrace( 0, Dbg, "Encryption failure in FinishLogin...\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
pbEncLogDataHead->cipherLength = (WORD)CryptLen;
pbEncLogDataHead->blockLength = pbEncLogDataHead->cipherLength +
sizeof( ENC_BLOCK_HDR ) -
sizeof( DWORD );
//
// We can finally send out the finish login request! Calculate the
// send amount and make the request.
//
RequestPacketLen = (int) (( (BYTE *) pbEncLogData + pbEncLogDataHead->cipherLength ) -
(BYTE *) pbEncRandSeedHead);
NdsRequest.pRecvBufferVa = pbServerResponse;
NdsRequest.dwRecvLen = RESP_POOL_SIZE;
NdsRequest.pRecvMdl = NULL;
NdsRequest.pRecvMdl = ALLOCATE_MDL( pbServerResponse,
RESP_POOL_SIZE,
FALSE,
FALSE,
NULL );
if ( !NdsRequest.pRecvMdl ) {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto ExitWithCleanup;
}
MmProbeAndLockPages( NdsRequest.pRecvMdl,
KernelMode,
IoWriteAccess );
Status = FragExWithWait( pIrpContext,
NDSV_FINISH_LOGIN,
&NdsRequest,
"DDDDDDDr",
2, // Version
dwLoginFlags, // Flags
dwUserOID, // Entry ID
0x494, //
1, // Security Version
0x20009, // Envelope ID 1
0x488, // Envelope length
pbEncRandSeedHead, // Cipher block
RequestPacketLen ); // Cipher block length
MmUnlockPages( NdsRequest.pRecvMdl );
FREE_MDL( NdsRequest.pRecvMdl );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
Status = NdsCompletionCodetoNtStatus( &NdsRequest );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
if ( Status == NWRDR_PASSWORD_HAS_EXPIRED ) {
PasswordExpired = TRUE;
}
cbServerRespLen = NdsRequest.dwBytesWritten;
//
// Save the credential validity times.
//
Status = ParseResponse( NULL,
pbServerResponse,
cbServerRespLen,
"G_DD",
sizeof( DWORD ),
pdwCredentialStartTime,
pdwCredentialEndTime );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
//
// Grab the encryption block header for the response. This response in
// RC2 encrypted with the pbEncryptedChallengeKey.
//
pbEncServerRespHead = (ENC_BLOCK_HDR *) ( pbServerResponse +
( 3 * sizeof( DWORD ) ) );
if ( pbEncServerRespHead->encType != ENC_TYPE_RC2_CBC ||
pbEncServerRespHead->cipherLength >
( RESP_POOL_SIZE + sizeof( ENC_BLOCK_HDR ) + 12 ) ) {
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Decrypt the server response in place.
//
pbEncServerResp = ( BYTE * ) ( ( BYTE * ) pbEncServerRespHead +
sizeof( ENC_BLOCK_HDR ) );
CryptStatus = CBCDecrypt( pbEncryptedChallengeKey,
NULL,
pbEncServerResp,
pbEncServerRespHead->cipherLength,
pbEncServerResp,
&cbServerRespLen,
BSAFE_CHECKSUM_LEN );
if ( CryptStatus ||
cbServerRespLen != pbEncServerRespHead->dataLength ) {
DebugTrace( 0, Dbg, "Encryption failure (2) in FinishLogin...\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Examine the first random number to make sure the server is authentic.
//
if ( psRandByteBlock->rand1 != * ( DWORD * ) pbEncServerResp ) {
DebugTrace( 0, Dbg, "Server failed to respond to our challenge correctly...\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// We know things are legit, so we can extract the private key.
// Careful, though: don't XOR the size dword.
//
pbEncServerResp += sizeof( DWORD );
EncKeyLen = * ( DWORD * ) ( pbEncServerResp );
pbEncServerResp += sizeof( DWORD );
while ( EncKeyLen-- ) {
pbEncServerResp[EncKeyLen] ^= psRandByteBlock->rand2[EncKeyLen];
}
//
// Check the encryption header on the private key. Don't forget to
// backup to include the size dword.
//
pbPrivKeyHead = ( ENC_BLOCK_HDR * )( pbEncServerResp - sizeof( DWORD ) ) ;
if ( pbPrivKeyHead->encType != ENC_TYPE_RC2_CBC ) {
DebugTrace( 0, Dbg, "Bad encryption header on the private key...\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Finally, copy out the user's private NDS key.
//
if ( *pcbUserEncPrivateNdsKeyLen >= pbPrivKeyHead->cipherLength ) {
DebugTrace( 0, Dbg, "Encrypted private key len: %d\n",
pbPrivKeyHead->cipherLength );
RtlCopyMemory( pbUserEncPrivateNdsKey,
((BYTE *)( pbPrivKeyHead )) + sizeof( ENC_BLOCK_HDR ),
pbPrivKeyHead->cipherLength );
*pcbUserEncPrivateNdsKeyLen = pbPrivKeyHead->cipherLength;
Status = STATUS_SUCCESS;
} else {
DebugTrace( 0, Dbg, "Encryption failure on private key in FinishLogin...\n", 0 );
Status = STATUS_UNSUCCESSFUL;
}
ExitWithCleanup:
FREE_POOL( pbRandomBytes );
if ( ( NT_SUCCESS( Status ) ) &&
( PasswordExpired ) ) {
Status = NWRDR_PASSWORD_HAS_EXPIRED;
}
return Status;
}
NTSTATUS
ChangeNdsPassword(
PIRP_CONTEXT pIrpContext,
DWORD dwUserOID,
DWORD dwChallenge,
PBYTE pbOldPwHash,
PBYTE pbNewPwHash,
PNDS_PRIVATE_KEY pUserPrivKey,
PBYTE pServerPublicBsafeKey,
UINT ServerPubKeyLen,
USHORT NewPassLen
)
/*+++
Description:
Send a change password packet. Change the users password
on the NDS tree that this irp context points to.
Arguments:
pIrpContext - The irp context for this request. Points to the target server.
dwUserOID - The oid for the current user.
dwChallenge - The encrypted challenge from begin login.
pbOldPwHash - The 16 byte hash of the old password.
pbNewPwHash - The 16 byte hash of the new password.
pUserPrivKey - The user's private RSA key with NDS header.
pServerPublicBsafeKey - The server's public RSA key in BSAFE format.
ServerPubKeyLen - The length of the server's public BSAFE key.
NewPassLen - The length of the unencrypted new password.
--*/
{
NTSTATUS Status;
BYTE pbNewPwKey[8];
BYTE pbSecretKey[8];
PENC_BLOCK_HDR pbEncSecretKey, pbEncChangePassReq;
BYTE RandomBytes[RAND_KEY_DATA_LEN];
PBYTE pbEncData;
PNDS_CHPW_MSG pChangePassMsg;
INT CryptStatus, CryptLen;
DWORD dwTotalEncDataLen;
LOCKED_BUFFER NdsRequest;
PAGED_CODE();
//
// Create a secret key from the new password.
//
GenKey8( pbNewPwHash, 16, pbNewPwKey );
pbEncSecretKey = ALLOCATE_POOL( PagedPool,
( ( 2 * sizeof( ENC_BLOCK_HDR ) ) +
( MAX_RSA_BYTES ) +
( sizeof( NDS_CHPW_MSG ) ) +
( sizeof( NDS_PRIVATE_KEY ) ) +
( pUserPrivKey->keyDataLength ) +
16 ) );
if ( !pbEncSecretKey ) {
DebugTrace( 0, Dbg, "ChangeNdsPassword: Out of memory.\n", 0 );
return STATUS_INSUFFICIENT_RESOURCES;
}
Status = NdsAllocateLockedBuffer( &NdsRequest, NDS_BUFFER_SIZE );
if ( !NT_SUCCESS( Status ) ) {
FREE_POOL( pbEncSecretKey );
return STATUS_INSUFFICIENT_RESOURCES;
}
//
// Generate a random key.
//
GenRandomBytes( RandomBytes, RAND_KEY_DATA_LEN );
GenKey8( RandomBytes, RAND_KEY_DATA_LEN, pbSecretKey );
//
// Encrypt the secret key data in the space after the EBH.
//
pbEncSecretKey->dataLength = RAND_KEY_DATA_LEN;
pbEncSecretKey->cipherLength = (WORD) RSAGetInputBlockSize( pServerPublicBsafeKey, ServerPubKeyLen);
pbEncData = ( PBYTE ) ( pbEncSecretKey + 1 );
pbEncSecretKey->cipherLength = (WORD) RSAPack( RandomBytes,
pbEncSecretKey->dataLength,
pbEncData,
pbEncSecretKey->cipherLength );
pbEncSecretKey->cipherLength = (WORD) RSAPublic( pServerPublicBsafeKey,
ServerPubKeyLen,
pbEncData,
pbEncSecretKey->cipherLength,
pbEncData );
if ( !pbEncSecretKey->cipherLength ) {
DebugTrace( 0, Dbg, "ChangeNdsPassword: RSA encryption failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Finish filling out the EBH for the secret key block.
//
pbEncSecretKey->version = 1;
pbEncSecretKey->encType = ENC_TYPE_RSA_PUBLIC;
pbEncSecretKey->blockLength = pbEncSecretKey->cipherLength +
sizeof( ENC_BLOCK_HDR ) -
sizeof( DWORD );
//
// Now form the change password request.
//
pbEncChangePassReq = ( PENC_BLOCK_HDR )
( pbEncData + ROUNDUP4( pbEncSecretKey->cipherLength ) );
pChangePassMsg = ( PNDS_CHPW_MSG ) ( pbEncChangePassReq + 1 );
//
// Init the Change Password message.
//
pChangePassMsg->challenge = dwChallenge;
pChangePassMsg->oldPwLength = pChangePassMsg->newPwLength = 16;
RtlCopyMemory( pChangePassMsg->oldPwHash, pbOldPwHash, pChangePassMsg->oldPwLength );
RtlCopyMemory( pChangePassMsg->newPwHash, pbNewPwHash, pChangePassMsg->newPwLength );
pChangePassMsg->unknown = NewPassLen;
pChangePassMsg->encPrivKeyHdr.version = 1;
pChangePassMsg->encPrivKeyHdr.encType = ENC_TYPE_RC2_CBC;
pChangePassMsg->encPrivKeyHdr.dataLength = pUserPrivKey->keyDataLength + sizeof( NDS_PRIVATE_KEY );
//
// Encrypt the private key with the key derived from the new password.
//
CryptStatus = CBCEncrypt( pbNewPwKey,
NULL,
( PBYTE ) pUserPrivKey,
pChangePassMsg->encPrivKeyHdr.dataLength,
( PBYTE ) ( pChangePassMsg + 1 ),
&CryptLen,
BSAFE_CHECKSUM_LEN );
if ( CryptStatus ) {
DebugTrace( 0, Dbg, "ChangeNdsPassword: CBC encrypt failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
//
// Finish filling out the encryption header.
//
pChangePassMsg->encPrivKeyHdr.cipherLength = (WORD) CryptLen;
pChangePassMsg->encPrivKeyHdr.blockLength = CryptLen +
sizeof( ENC_BLOCK_HDR ) -
sizeof( DWORD );
pbEncChangePassReq->version = 1;
pbEncChangePassReq->encType = ENC_TYPE_RC2_CBC;
pbEncChangePassReq->dataLength = sizeof( NDS_CHPW_MSG ) + (USHORT) CryptLen;
//
// Encrypt the whole Change Password message in-place with the secret key.
//
CryptStatus = CBCEncrypt( pbSecretKey,
NULL,
( PBYTE ) pChangePassMsg,
pbEncChangePassReq->dataLength,
( PBYTE ) pChangePassMsg,
&CryptLen,
BSAFE_CHECKSUM_LEN);
if ( CryptStatus ) {
DebugTrace( 0, Dbg, "ChangeNdsPassword: Second CBC encrypt failed.\n", 0 );
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
pbEncChangePassReq->cipherLength = (WORD) CryptLen;
pbEncChangePassReq->blockLength =
CryptLen + sizeof( ENC_BLOCK_HDR ) - sizeof( DWORD );
//
// Calculate the size of the request.
//
dwTotalEncDataLen = sizeof( ENC_BLOCK_HDR ) + // Secret key header.
ROUNDUP4( pbEncSecretKey->cipherLength ) + // Secret key data.
sizeof( ENC_BLOCK_HDR ) + // Change pass msg header.
CryptLen; // Change pass data.
//
// Send this change password message to the server.
//
Status = FragExWithWait( pIrpContext,
NDSV_CHANGE_PASSWORD,
&NdsRequest,
"DDDDDDr",
0,
dwUserOID,
dwTotalEncDataLen + ( 3 * sizeof( DWORD ) ),
1,
0x20009,
dwTotalEncDataLen,
pbEncSecretKey,
dwTotalEncDataLen );
if ( NT_SUCCESS( Status ) ) {
Status = NdsCompletionCodetoNtStatus( &NdsRequest );
}
ExitWithCleanup:
FREE_POOL( pbEncSecretKey );
NdsFreeLockedBuffer( &NdsRequest );
return Status;
}
NTSTATUS
NdsServerAuthenticate(
IN PIRP_CONTEXT pIrpContext,
IN PNDS_SECURITY_CONTEXT pNdsContext
)
/*++
Routine Description:
Authenticate an NDS connection.
The user must have already logged into the NDS tree.
If you change this function - know that you cannot
at any point try to acquire the nds credential
resource exclusive from here since that could cause
a dead lock!!!
You also must not dequeue the irp context!
Arguments:
pIrpContext - IrpContext for the server that we want to authenticate to.
Return value:
NTSTATUS
--*/
{
NTSTATUS Status;
BYTE *pbUserPublicBsafeKey = NULL;
int cbUserPublicBsafeKeyLen = 0;
NDS_AUTH_MSG *psAuthMsg;
NDS_CREDENTIAL *psLocalCredential;
DWORD dwLocalCredentialLen;
UNICODE_STRING uUserName;
DWORD UserOID;
BYTE *x, *y, *r;
BYTE CredentialHash[16];
int i, rsaBlockSize = 0, rsaModSize, totalXLen;
DWORD dwServerRand;
BYTE *pbResponse;
DWORD cbResponseLen;
LOCKED_BUFFER NdsRequest;
PAGED_CODE();
DebugTrace( 0, Dbg, "Entering NdsServerAuthenticate...\n", 0 );
ASSERT( pIrpContext->pNpScb->Requests.Flink == &pIrpContext->NextRequest );
//
// Allocate space for the auth msg, credential, G-Q bytes, and
// the response buffer.
//
psAuthMsg = ALLOCATE_POOL( PagedPool,
sizeof( NDS_AUTH_MSG ) + // auth message
sizeof( NDS_CREDENTIAL ) + // credential
MAX_NDS_NAME_SIZE + //
( MAX_RSA_BYTES * 9 ) ); // G-Q rands
if ( !psAuthMsg ) {
DebugTrace( 0, Dbg, "Out of memory in NdsServerAuthenticate (0)...\n", 0 );
return STATUS_INSUFFICIENT_RESOURCES;
}
pbResponse = ALLOCATE_POOL( PagedPool, NDS_BUFFER_SIZE );
if ( !pbResponse ) {
DebugTrace( 0, Dbg, "Out of memory in NdsServerAuthenticate (1)...\n", 0 );
FREE_POOL( psAuthMsg );
return STATUS_INSUFFICIENT_RESOURCES;
}
psLocalCredential = (PNDS_CREDENTIAL)( ((BYTE *) psAuthMsg) +
sizeof( NDS_AUTH_MSG ) );
//
// Locate the public BSAFE key.
//
cbUserPublicBsafeKeyLen = NdsGetBsafeKey ( (BYTE *)(pNdsContext->PublicNdsKey),
pNdsContext->PublicKeyLen,
&pbUserPublicBsafeKey );
//
// Can the length of the BSAFE key be 0? I guess not.
//
if (( cbUserPublicBsafeKeyLen == 0 ) ||
( (DWORD)cbUserPublicBsafeKeyLen > pNdsContext->PublicKeyLen )) {
Status = STATUS_UNSUCCESSFUL;
goto ExitWithCleanup;
}
DebugTrace( 0, Dbg, "BSAFE key size : %d\n", cbUserPublicBsafeKeyLen );
//
// Get the user's object Id but do not jump dir servers. There is never
// any optional data, so we don't really need to skip over it.
//
uUserName.MaximumLength = pNdsContext->Credential->userNameLength;
uUserName.Length = uUserName.MaximumLength;
uUserName.Buffer = ( WCHAR * ) ( ((BYTE *)pNdsContext->Credential) +
sizeof( NDS_CREDENTIAL ) +
pNdsContext->Credential->optDataSize );
Status = NdsResolveNameKm( pIrpContext,
&uUserName,
&UserOID,
FALSE,
RSLV_DEREF_ALIASES | RSLV_CREATE_ID | RSLV_ENTRY_ID );
if ( !NT_SUCCESS(Status) ) {
goto ExitWithCleanup;
}
//
// Issue the Begin Authenticate request to get the random server nonce.
//
Status = BeginAuthenticate( pIrpContext,
UserOID,
&dwServerRand );
if ( !NT_SUCCESS(Status) ) {
goto ExitWithCleanup;
}
//
// Figure out the size of the zero-padded RSA Blocks. We use the same
// size as the modulus field of the public key (typically 56 bytes).
//
RSAGetModulus( pbUserPublicBsafeKey,
cbUserPublicBsafeKeyLen,
&rsaBlockSize);
DebugTrace( 0, Dbg, "RSA block size for authentication: %d\n", rsaBlockSize );
//
// Prepare the credential and the 3 G-Q rands. The credential,
// xs, and ys go out in the packet; rs is secret.
//
RtlZeroMemory( ( BYTE * )psLocalCredential,
sizeof( NDS_CREDENTIAL ) +
MAX_NDS_NAME_SIZE +
9 * rsaBlockSize );
dwLocalCredentialLen = sizeof( NDS_CREDENTIAL ) +
pNdsContext->Credential->optDataSize +
pNdsContext->Credential->userNameLength;
DebugTrace( 0, Dbg, "Credential length is %d.\n", dwLocalCredentialLen );
RtlCopyMemory( (BYTE *)psLocalCredential,
pNdsContext->Credential,
dwLocalCredentialLen );
x = ( BYTE * ) psAuthMsg + sizeof( NDS_AUTH_MSG ) + dwLocalCredentialLen;
y = x + ( 3 * rsaBlockSize );
r = y + ( 3 * rsaBlockSize );
rsaModSize = RSAGetInputBlockSize( pbUserPublicBsafeKey,
cbUserPublicBsafeKeyLen );
DebugTrace( 0, Dbg, "RSA modulus size: %d\n", rsaModSize );
for ( i = 0; i < 3; i++ ) {
//
// Create Random numbers r1, r2 and r3 of modulus size.
//
GenRandomBytes( r + ( rsaBlockSize * i ), rsaModSize );
//
// Compute x = r**e mod N.
//
RSAPublic( pbUserPublicBsafeKey,
cbUserPublicBsafeKeyLen,
r + ( rsaBlockSize * i ),
rsaModSize,
x + ( rsaBlockSize * i ) );
}
//
// Fill in the AuthMsg fields.
//
psAuthMsg->version = 0;
psAuthMsg->svrRand = dwServerRand;
psAuthMsg->verb = NDSV_FINISH_AUTHENTICATE;
psAuthMsg->credentialLength = dwLocalCredentialLen;
//
// MD2 hash the auth message, credential and x's.
//
MD2( (BYTE *)psAuthMsg,
sizeof( NDS_AUTH_MSG ) +
psAuthMsg->credentialLength +
( 3 * rsaBlockSize ),
CredentialHash );
//
// Compute yi = ri*(S**ci) mod N; c1,c2,c3 are the first three
// 16 bit numbers in CredentialHash.
//
totalXLen = 3 * rsaBlockSize;
for ( i = 0; i < 3; i++ ) {
RSAModExp( pbUserPublicBsafeKey,
cbUserPublicBsafeKeyLen,
( (BYTE *)(pNdsContext->Signature) ) + sizeof( NDS_SIGNATURE ),
pNdsContext->Signature->signDataLength,
&CredentialHash[i * sizeof( WORD )],
sizeof( WORD ),
y + ( rsaBlockSize * i) );
RSAModMpy( pbUserPublicBsafeKey,
cbUserPublicBsafeKeyLen,
y + ( rsaBlockSize * i ), // input1 = S**ci mod N
rsaModSize + 1,
r + ( rsaBlockSize * i ), // input2 = ri
rsaModSize,
y + ( rsaBlockSize * i ) ); // output = yi
}
//
// Send the auth proof.
//
NdsRequest.pRecvBufferVa = pbResponse;
NdsRequest.dwRecvLen = NDS_BUFFER_SIZE;
NdsRequest.pRecvMdl = NULL;
NdsRequest.pRecvMdl = ALLOCATE_MDL( pbResponse,
NDS_BUFFER_SIZE,
FALSE,
FALSE,
NULL );
if ( !NdsRequest.pRecvMdl ) {
Status = STATUS_INSUFFICIENT_RESOURCES;
goto ExitWithCleanup;
}
MmProbeAndLockPages( NdsRequest.pRecvMdl,
KernelMode,
IoWriteAccess );
Status = FragExWithWait( pIrpContext,
NDSV_FINISH_AUTHENTICATE,
&NdsRequest,
"DDDrDDWWWWr",
0, // version
0, // sessionKeyLen
psAuthMsg->credentialLength, // credential len
(BYTE *)psLocalCredential, // actual credential
ROUNDUP4( psAuthMsg->credentialLength ),
12 + ( totalXLen * 2 ), // length of remaining
1, // proof version?
8, // tag?
16, // message digest base
3, // proof order
totalXLen, // proofOrder*sizeof(x)
x, // x1,x2,x3,y1,y2,y3
2 * totalXLen );
MmUnlockPages( NdsRequest.pRecvMdl );
FREE_MDL( NdsRequest.pRecvMdl );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
Status = NdsCompletionCodetoNtStatus( &NdsRequest );
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
cbResponseLen = NdsRequest.dwBytesWritten;
DebugTrace( 0, Dbg, "Authentication returned ok status.\n", 0 );
//
// We completed NDS authentication, so clear out the name
// and password in the SCB so that we use the credentials
// from now on.
//
if ( pIrpContext->pScb->UserName.Buffer != NULL ) {
DebugTrace( 0, Dbg, "Clearing out bindery login data.\n", 0 );
pIrpContext->pScb->UserName.Length = 0;
pIrpContext->pScb->UserName.MaximumLength = 0;
pIrpContext->pScb->Password.Length = 0;
pIrpContext->pScb->Password.MaximumLength = 0;
FREE_POOL( pIrpContext->pScb->UserName.Buffer );
RtlInitUnicodeString( &pIrpContext->pScb->UserName, NULL );
RtlInitUnicodeString( &pIrpContext->pScb->Password, NULL );
}
ExitWithCleanup:
FREE_POOL( psAuthMsg );
FREE_POOL( pbResponse );
return Status;
}
NTSTATUS
BeginAuthenticate(
IN PIRP_CONTEXT pIrpContext,
IN DWORD dwUserId,
OUT DWORD *pdwSvrRandom
)
/*++
Routine Description:
Authenticate an NDS connection.
The user must have already logged into the NDS tree.
Arguments:
pIrpContext - IrpContext for the server that we want to authenticate to.
dwUserID - The user OID that we are authenticating ourselves as.
pdwSvrRandon - The server random challenge.
Return value:
NTSTATUS - The result of the operation.
--*/
{
NTSTATUS Status;
LOCKED_BUFFER NdsRequest;
DWORD dwClientRand;
PAGED_CODE();
Status = NdsAllocateLockedBuffer( &NdsRequest, NDS_BUFFER_SIZE );
if ( !NT_SUCCESS( Status ) ) {
return STATUS_INSUFFICIENT_RESOURCES;
}
GenRandomBytes( (BYTE *)&dwClientRand, sizeof( dwClientRand ) );
Status = FragExWithWait( pIrpContext,
NDSV_BEGIN_AUTHENTICATE,
&NdsRequest,
"DDD",
0, // Version.
dwUserId, // Entry Id.
dwClientRand ); // Client's random challenge.
if ( !NT_SUCCESS( Status ) ) {
goto ExitWithCleanup;
}
Status = NdsCompletionCodetoNtStatus( &NdsRequest );
if ( !NT_SUCCESS( Status ) ) {
if ( Status == STATUS_BAD_NETWORK_PATH ) {
Status = STATUS_NO_SUCH_USER;
}
goto ExitWithCleanup;
}
//
// The reply actually contains all this, even though we don't look at it?
//
// typedef struct {
// DWORD svrRand;
// DWORD totalLength;
// TAG_DATA_HEADER tdh;
// WORD unknown; // Always 2.
// DWORD encClientRandLength;
// CIPHER_BLOCK_HEADER keyCipherHdr;
// BYTE keyCipher[];
// CIPHER_BLOCK_HEADER encClientRandHdr;
// BYTE encClientRand[];
// } REPLY_BEGIN_AUTHENTICATE;
//
// Nah, that can't be right.
//
Status = ParseResponse( NULL,
NdsRequest.pRecvBufferVa,
NdsRequest.dwBytesWritten,
"G_D",
sizeof( DWORD ),
pdwSvrRandom );
//
// We either got it or we didn't.
//
ExitWithCleanup:
NdsFreeLockedBuffer( &NdsRequest );
return Status;
}
NTSTATUS
NdsLicenseConnection(
PIRP_CONTEXT pIrpContext
)
/*+++
Send the license NCP to the server to license this connection.
---*/
{
NTSTATUS Status;
PAGED_CODE();
DebugTrace( 0, Dbg, "Licensing connection to %wZ.\n", &(pIrpContext->pNpScb->pScb->UidServerName) );
//
// Change the authentication state of the connection.
//
Status = ExchangeWithWait ( pIrpContext,
SynchronousResponseCallback,
"SD",
NCP_ADMIN_FUNCTION,
NCP_CHANGE_CONN_AUTH_STATUS,
NCP_CONN_LICENSED );
if ( !NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "Licensing failed to %wZ.\n", &(pIrpContext->pNpScb->pScb->UidServerName) );
}
return Status;
}
NTSTATUS
NdsUnlicenseConnection(
PIRP_CONTEXT pIrpContext
)
/*+++
Send the license NCP to the server to license this connection.
---*/
{
NTSTATUS Status;
PAGED_CODE();
DebugTrace( 0, Dbg, "Unlicensing connection to %wZ.\n", &(pIrpContext->pNpScb->pScb->UidServerName) );
//
// Change the authentication state of the connection.
//
Status = ExchangeWithWait ( pIrpContext,
SynchronousResponseCallback,
"SD",
NCP_ADMIN_FUNCTION,
NCP_CHANGE_CONN_AUTH_STATUS,
NCP_CONN_NOT_LICENSED );
if ( !NT_SUCCESS( Status ) ) {
DebugTrace( 0, Dbg, "Unlicensing failed to %wZ.\n", &(pIrpContext->pNpScb->pScb->UidServerName) );
}
return Status;
}
int
NdsGetBsafeKey(
UCHAR *pPubKey,
const int pubKeyLen,
UCHAR **ppBsafeKey
)
/*++
Routine Description:
Locate the BSAFE key from within the public key. Note that this does
not work for private keys in NDS format. For private keys, you just
skip the size word.
This is verbatim from Win95.
Routine Arguments:
pPubKey - A pointer to the public key.
pubKeyLen - The length of the public key.
ppBsafeKey - The pointer to the BSAFE key in the public key.
Return Value:
The length of the BSAFE key.
--*/
{
int bsafePubKeyLen = 0, totalDNLen;
char *pRcv;
NTSTATUS Status;
PAGED_CODE();
totalDNLen = 0;
Status = ParseResponse( NULL,
pPubKey,
pubKeyLen,
"G_W",
( 2 * sizeof( DWORD ) ) + sizeof( WORD ),
&totalDNLen );
if ( !NT_SUCCESS(Status) ) {
goto Exit;
}
Status = ParseResponse( NULL,
pPubKey,
pubKeyLen - 12,
"G__W",
12,
5 * sizeof( WORD ) +
3 * sizeof( DWORD ) +
totalDNLen,
&bsafePubKeyLen );
if ( !NT_SUCCESS(Status) ) {
goto Exit;
}
*ppBsafeKey = (UCHAR *) pPubKey +
14 +
5 * sizeof( WORD ) +
3 * sizeof( DWORD ) +
totalDNLen;
Exit:
return bsafePubKeyLen;
}
NTSTATUS
NdsLogoff(
IN PIRP_CONTEXT pIrpContext
)
/*++
Routine Description:
Sends a logout to the NDS tree, closes all NDS authenticated
connections, and destroys the current set of NDS credentials.
This routine acquires the credential list exclusive.
Arguments:
pIrpContext - The IRP context for this request pointed to a
valid dir server.
Notes:
This is only called from DeleteConnection. The caller owns
the RCB exclusive and we will free it before returning.
--*/
{
NTSTATUS Status;
LOCKED_BUFFER NdsRequest;
PNDS_SECURITY_CONTEXT pCredentials;
PLOGON pLogon;
PSCB pScb;
PNONPAGED_SCB pNpScb;
PLIST_ENTRY ScbQueueEntry;
PNONPAGED_SCB pNextNpScb;
KIRQL OldIrql;
//
// Grab the user's LOGON structure.
//
pNpScb = pIrpContext->pNpScb;
pScb = pNpScb->pScb;
//
// The caller owns the RCB.
//
pLogon = FindUser( &pScb->UserUid, FALSE );
if ( !pLogon ) {
DebugTrace( 0, Dbg, "Invalid security context for NdsLogoff.\n", 0 );
NwReleaseRcb( &NwRcb );
NwDequeueIrpContext( pIrpContext, FALSE );
return STATUS_NO_SUCH_USER;
}
//
// Check to make sure that we have something to log off from.
//
Status = NdsLookupCredentials( pIrpContext,
&pScb->NdsTreeName,
pLogon,
&pCredentials,
CREDENTIAL_WRITE,
FALSE );
if ( !NT_SUCCESS( Status )) {
DebugTrace( 0, Dbg, "NdsLogoff: Nothing to log off from.\n", 0 );
NwReleaseRcb( &NwRcb );
NwDequeueIrpContext( pIrpContext, FALSE );
return STATUS_NO_SUCH_LOGON_SESSION;
}
//
// If the credentials are locked, then someone is already
// doing a logout.
//
if ( pCredentials->CredentialLocked ) {
DebugTrace( 0, Dbg, "NdsLogoff: Logoff already in progress.\n", 0 );
NwReleaseCredList( pLogon, pIrpContext );
NwReleaseRcb( &NwRcb );
NwDequeueIrpContext( pIrpContext, FALSE );
return STATUS_DEVICE_BUSY;
}
//
// Mark the credential locked so we can logout without
// worrying about others logging in.
//
pCredentials->CredentialLocked = TRUE;
//
// Release all our resoures so we can jump around servers.
//
NwReleaseCredList( pLogon, pIrpContext );
NwReleaseRcb( &NwRcb );
NwDequeueIrpContext( pIrpContext, FALSE );
//
// Look through the scb list for connections that are in use. If all
// existing connections can be closed down, then we can complete the logout.
//
KeAcquireSpinLock( &ScbSpinLock, &OldIrql );
ScbQueueEntry = pNpScb->ScbLinks.Flink;
if ( ScbQueueEntry == &ScbQueue ) {
ScbQueueEntry = ScbQueue.Flink;
}
pNextNpScb = CONTAINING_RECORD( ScbQueueEntry, NONPAGED_SCB, ScbLinks );
NwReferenceScb( pNextNpScb );
KeReleaseSpinLock( &ScbSpinLock, OldIrql );
while ( pNextNpScb != pNpScb ) {
if ( pNextNpScb->pScb != NULL ) {
//
// Is this connection in use by us and is it NDS authenticated?
//
if ( RtlEqualUnicodeString( &pScb->NdsTreeName,
&pNextNpScb->pScb->NdsTreeName,
TRUE ) &&
( pScb->UserUid.QuadPart == pNextNpScb->pScb->UserUid.QuadPart ) &&
( pNextNpScb->State == SCB_STATE_IN_USE ) &&
( pNextNpScb->pScb->UserName.Length == 0 ) ) {
pIrpContext->pNpScb = pNextNpScb;
pIrpContext->pScb = pNextNpScb->pScb;
NwAppendToQueueAndWait( pIrpContext );
if ( pNextNpScb->pScb->OpenFileCount == 0 ) {
//
// Can we close it anyway? Should we check
// for open handles and the such here?
//
pNextNpScb->State = SCB_STATE_LOGIN_REQUIRED;
NwDequeueIrpContext( pIrpContext, FALSE );
} else {
DebugTrace( 0, Dbg, "NdsLogoff: Other connections in use.\n", 0 );
NwAcquireExclusiveCredList( pLogon, pIrpContext );
pCredentials->CredentialLocked = FALSE;
NwReleaseCredList( pLogon, pIrpContext );
NwDereferenceScb( pNextNpScb );
NwDequeueIrpContext( pIrpContext, FALSE );
return STATUS_CONNECTION_IN_USE;
}
}
}
//
// Select the next scb.
//
KeAcquireSpinLock( &ScbSpinLock, &OldIrql );
ScbQueueEntry = pNextNpScb->ScbLinks.Flink;
if ( ScbQueueEntry == &ScbQueue ) {
ScbQueueEntry = ScbQueue.Flink;
}
NwDereferenceScb( pNextNpScb );
pNextNpScb = CONTAINING_RECORD( ScbQueueEntry, NONPAGED_SCB, ScbLinks );
NwReferenceScb( pNextNpScb );
KeReleaseSpinLock( &ScbSpinLock, OldIrql );
}
//
// Check to make sure we can close the host scb.
//
if ( pScb->OpenFileCount != 0 ) {
DebugTrace( 0, Dbg, "NdsLogoff: Seed connection in use.\n", 0 );
NwAcquireExclusiveCredList( pLogon, pIrpContext );
pCredentials->CredentialLocked = FALSE;
NwReleaseCredList( pLogon, pIrpContext );
NwDereferenceScb( pNpScb );
return STATUS_CONNECTION_IN_USE;
}
//
// We can actually do the logout, so remove the credentials from
// the resource list, release the resource, and logout.
//
// If we are deleting the preferred tree credentials,
// then we need to clear the preferred server.
//
// We should try a little harder to free the preferred
// server ref count, too, but that's tricky with preferred
// server election.
//
if ( (pLogon->NdsCredentialList).Flink == &(pCredentials->Next) ) {
if ( pLogon->ServerName.Buffer != NULL ) {
DebugTrace( 0, Dbg, "Clearing preferred server at logout time.\n", 0 );
FREE_POOL( pLogon->ServerName.Buffer );
pLogon->ServerName.Length = pLogon->ServerName.MaximumLength = 0;
pLogon->ServerName.Buffer = NULL;
}
}
NwAcquireExclusiveCredList( pLogon, pIrpContext );
RemoveEntryList( &pCredentials->Next );
NwReleaseCredList( pLogon, pIrpContext );
FreeNdsContext( pCredentials );
pIrpContext->pNpScb = pNpScb;
pIrpContext->pScb = pScb;
//
// Try to send the logout request and hope the server
// is still up and reachable.
//
Status = NdsAllocateLockedBuffer( &NdsRequest, NDS_BUFFER_SIZE );
if ( NT_SUCCESS( Status ) ) {
Status = FragExWithWait( pIrpContext,
NDSV_LOGOUT,
&NdsRequest,
NULL );
NdsFreeLockedBuffer( &NdsRequest );
}
NwAppendToQueueAndWait( pIrpContext );
pNpScb->State = SCB_STATE_LOGIN_REQUIRED;
NwDequeueIrpContext( pIrpContext, FALSE );
NwDereferenceScb( pNpScb );
return STATUS_SUCCESS;
}
NTSTATUS
NdsLookupCredentials2(
IN PIRP_CONTEXT pIrpContext,
IN PUNICODE_STRING puTreeName,
IN PLOGON pLogon,
OUT PNDS_SECURITY_CONTEXT *ppCredentials,
BOOL LowerIrpHasLock
)
/*+++
Retrieve the nds credentials for the given tree from the
list of valid credentials for the specified user. This routine is
called only during a reconnect attempt.
puTreeName - The name of the tree that we want credentials for. If NULL
is specified, we return the credentials for the default tree.
pLogon - The logon structure for the user we want to access the tree.
ppCredentials - Where to put the pointed to the credentials.
LowerIrpHasLock - TRUE if the IRP_CONTEXT below the current one has the
lock.
If we succeed,we return the credentials. The caller is responsible for
releasing the list when done with the credentials.
If we fail, we release the credential list ourselves.
---*/
{
NTSTATUS Status;
PLIST_ENTRY pFirst, pNext;
PNDS_SECURITY_CONTEXT pNdsContext;
PAGED_CODE();
//
// Acquire the lock only if the lower IRP_CONTEXT does not hold
// the lock. If we always try to grab the lock, we will deadlock !
//
if (!LowerIrpHasLock){
NwAcquireExclusiveCredList( pLogon, pIrpContext );
}
pFirst = &pLogon->NdsCredentialList;
pNext = pLogon->NdsCredentialList.Flink;
while ( pNext && ( pFirst != pNext ) ) {
pNdsContext = (PNDS_SECURITY_CONTEXT)
CONTAINING_RECORD( pNext,
NDS_SECURITY_CONTEXT,
Next );
ASSERT( pNdsContext->ntc == NW_NTC_NDS_CREDENTIAL );
if ( !puTreeName ||
!RtlCompareUnicodeString( puTreeName,
&pNdsContext->NdsTreeName,
TRUE ) ) {
//
// If the tree name is null, we'll return the first one
// on the list. Otherwise this will work as normal.
//
*ppCredentials = pNdsContext;
return STATUS_SUCCESS;
}
pNext = pNdsContext->Next.Flink;
}
if (!LowerIrpHasLock) {
NwReleaseCredList( pLogon, pIrpContext );
}
return STATUS_UNSUCCESSFUL;
}
Reference in New Issue View Git Blame Copy Permalink