windows-nt/Source/XPSP1/NT/net/rras/ras/ppp/engine/auth.c

1762 lines
50 KiB
C
Raw Normal View History

2020-09-26 03:20:57 -05:00
/********************************************************************/
/** Copyright(c) 1989 Microsoft Corporation. **/
/********************************************************************/
//***
//
// Filename: auth.c
//
// Description: Contains FSM code to handle and authentication protocols.
//
// History:
// Nov 11,1993. NarenG Created original version.
// Jan 09,1995 RamC Save Lsa hToken in the PCB structure
// This will be closed
// in ProcessLineDownWorker() routine
// to release the RAS license.
#include <nt.h>
#include <ntrtl.h>
#include <nturtl.h> // needed for winbase.h
#include <windows.h> // Win32 base API's
#include <stdlib.h>
#include <string.h>
#include <wchar.h>
#include <lmcons.h>
#include <raserror.h>
#include <rasman.h>
#include <rtutils.h>
#include <mprlog.h>
#include <mprerror.h>
#include <rasppp.h>
#include <pppcp.h>
#include <ppp.h>
#include <auth.h>
#include <smevents.h>
#include <smaction.h>
#include <lcp.h>
#include <timer.h>
#include <util.h>
#include <worker.h>
#define INCL_RASAUTHATTRIBUTES
#define INCL_MISC
#include <ppputil.h>
DWORD
EapGetCredentials(
VOID *pWorkBuf,
VOID *ppCredentials);
//**
//
// Call: SetMsChapMppeKeys
//
// Returns: NO_ERROR - Success
// Non-zero returns - Failure
//
// Description: Set the MS-CHAP-MPPE-Keys with NDISWAN
//
DWORD
SetMsChapMppeKeys(
IN HPORT hPort,
IN RAS_AUTH_ATTRIBUTE * pAttribute,
IN BYTE * pChallenge,
IN BYTE * pResponse,
IN DWORD AP,
IN DWORD APData
)
{
RAS_COMPRESSION_INFO rciSend;
RAS_COMPRESSION_INFO rciReceive;
DWORD dwRetCode = NO_ERROR;
ASSERT( 8 == sizeof( rciSend.RCI_LMSessionKey ) );
ASSERT( 16 == sizeof( rciSend.RCI_UserSessionKey ) );
//
// Length of key is 8 (LM key) + 16 (NT key)
//
if ( pAttribute->dwLength < ( 6 + 8 + 16 ) )
{
return( ERROR_INVALID_PARAMETER );
}
ZeroMemory( &rciSend, sizeof( rciSend ) );
rciSend.RCI_MacCompressionType = 0xFF;
CopyMemory( rciSend.RCI_LMSessionKey,
((PBYTE)(pAttribute->Value))+6,
8 );
CopyMemory( rciSend.RCI_UserSessionKey,
((PBYTE)(pAttribute->Value))+6+8,
16 );
CopyMemory( rciSend.RCI_Challenge, pChallenge, 8 );
CopyMemory( rciSend.RCI_NTResponse, pResponse, 24 );
rciSend.RCI_Flags = CCP_SET_KEYS;
ZeroMemory( &rciReceive, sizeof( rciReceive ) );
rciReceive.RCI_MacCompressionType = 0xFF;
CopyMemory( rciReceive.RCI_LMSessionKey,
((PBYTE)(pAttribute->Value))+6,
8 );
CopyMemory( rciReceive.RCI_UserSessionKey,
((PBYTE)(pAttribute->Value))+6+8,
16 );
CopyMemory( rciReceive.RCI_Challenge, pChallenge, 8 );
CopyMemory( rciReceive.RCI_NTResponse, pResponse, 24 );
rciReceive.RCI_Flags = CCP_SET_KEYS;
rciSend.RCI_AuthType = AUTH_USE_MSCHAPV2;
rciReceive.RCI_AuthType = AUTH_USE_MSCHAPV2;
if ( ( AP == PPP_CHAP_PROTOCOL ) &&
( APData == PPP_CHAP_DIGEST_MSEXT ))
{
rciSend.RCI_AuthType = AUTH_USE_MSCHAPV1;
rciReceive.RCI_AuthType = AUTH_USE_MSCHAPV1;
}
dwRetCode = RasCompressionSetInfo(hPort,&rciSend,&rciReceive);
if ( dwRetCode != NO_ERROR )
{
PppLog( 1,"RasCompressionSetInfo failed, Error=%d", dwRetCode );
}
return( dwRetCode );
}
//**
//
// Call: SetMsMppeSendRecvKeys
//
// Returns: NO_ERROR - Success
// Non-zero returns - Failure
//
// Description: Set the MS-MPPE-Send-Key and MS-MPPE-Recv-Key with NDISWAN
//
DWORD
SetMsMppeSendRecvKeys(
IN HPORT hPort,
IN RAS_AUTH_ATTRIBUTE * pAttributeSendKey,
IN RAS_AUTH_ATTRIBUTE * pAttributeRecvKey
)
{
RAS_COMPRESSION_INFO rciSend;
RAS_COMPRESSION_INFO rciRecv;
DWORD dwRetCode = NO_ERROR;
//
// 4: for Vendor-Id.
//
// The Microsoft Vendor-specific RADIUS Attributes draft says that
// Vendor-Length should be > 4.
//
if ( pAttributeSendKey->dwLength <= ( 4 + 4 ) )
{
return( ERROR_INVALID_PARAMETER );
}
ZeroMemory( &rciSend, sizeof( rciSend ) );
rciSend.RCI_MacCompressionType = 0xFF;
rciSend.RCI_EapKeyLength = *(((BYTE*)(pAttributeSendKey->Value))+8);
CopyMemory( rciSend.RCI_EapKey,
((BYTE*)(pAttributeSendKey->Value))+9,
rciSend.RCI_EapKeyLength );
rciSend.RCI_Flags = CCP_SET_KEYS;
rciSend.RCI_AuthType = AUTH_USE_EAP;
if ( pAttributeRecvKey->dwLength <= ( 4 + 4 ) )
{
return( ERROR_INVALID_PARAMETER );
}
ZeroMemory( &rciRecv, sizeof( rciRecv ) );
rciRecv.RCI_MacCompressionType = 0xFF;
rciRecv.RCI_EapKeyLength = *(((BYTE*)(pAttributeRecvKey->Value))+8);
CopyMemory( rciRecv.RCI_EapKey,
((BYTE*)(pAttributeRecvKey->Value))+9,
rciRecv.RCI_EapKeyLength );
rciRecv.RCI_Flags = CCP_SET_KEYS;
rciRecv.RCI_AuthType = AUTH_USE_EAP;
dwRetCode = RasCompressionSetInfo(hPort,&rciSend,&rciRecv);
if ( dwRetCode != NO_ERROR )
{
PppLog( 1,"RasCompressionSetInfo failed, Error=%d", dwRetCode );
}
return( dwRetCode );
}
//**
//
// Call: SetUserAuthorizedAttributes
//
// Returns: NO_ERROR - Success
// Non-zero returns - Failure
//
// Description:
//
DWORD
SetUserAuthorizedAttributes(
IN PCB * pPcb,
IN RAS_AUTH_ATTRIBUTE * pUserAttributes,
IN BOOL fAuthenticator,
IN BYTE * pChallenge,
IN BYTE * pResponse
)
{
RAS_AUTH_ATTRIBUTE * pAttribute;
RAS_AUTH_ATTRIBUTE * pAttributeSendKey;
RAS_AUTH_ATTRIBUTE * pAttributeRecvKey;
DWORD dwRetCode;
DWORD dwEncryptionPolicy = 0;
DWORD dwEncryptionTypes = 0;
BOOL fL2tp = FALSE;
BOOL fPptp = FALSE;
CreateAccountingAttributes( pPcb );
if ( RAS_DEVICE_TYPE( pPcb->dwDeviceType ) == RDT_Tunnel_L2tp )
{
fL2tp = TRUE;
}
if ( RAS_DEVICE_TYPE( pPcb->dwDeviceType ) == RDT_Tunnel_Pptp )
{
fPptp = TRUE;
}
//
// Find out if we are to require encrypted data using MPPE
//
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 7, pUserAttributes );
if ( pAttribute != NULL )
{
dwEncryptionPolicy
= WireToHostFormat32(((BYTE*)(pAttribute->Value))+6);
pAttribute = RasAuthAttributeGetVendorSpecific( 311,
8,
pUserAttributes );
if ( pAttribute != NULL )
{
dwEncryptionTypes
= WireToHostFormat32(((BYTE*)(pAttribute->Value))+6);
if ( dwEncryptionPolicy == 2 )
{
if (!fL2tp)
{
//
// Find out what types of encryption are to be required
//
if ( ( dwEncryptionTypes & 0x00000002 )
|| ( dwEncryptionTypes & 0x00000008 ) )
{
pPcb->ConfigInfo.dwConfigMask
|= PPPCFG_RequireEncryption;
PppLog( 1,"Encryption" );
}
if ( dwEncryptionTypes & 0x00000004 )
{
pPcb->ConfigInfo.dwConfigMask
|= PPPCFG_RequireStrongEncryption;
PppLog( 1,"Strong encryption" );
}
if ( dwEncryptionTypes == 0 )
{
pPcb->ConfigInfo.dwConfigMask
|= PPPCFG_DisableEncryption;
PppLog( 1,"Encryption is not allowed" );
}
}
}
else if ( dwEncryptionPolicy == 1 )
{
//
// Find out what types of encryption are to be allowed
//
if ( !fL2tp && !dwEncryptionTypes )
{
pPcb->ConfigInfo.dwConfigMask |= PPPCFG_DisableEncryption;
PppLog( 1,"Encryption is not allowed" );
}
}
}
}
//
// Set encryption keys if we got them, provided we have not already done so
//
if ( !( pPcb->fFlags & PCBFLAG_MPPE_KEYS_SET ) )
{
pAttribute = RasAuthAttributeGetVendorSpecific(
311, 12, pUserAttributes);
if ( pAttribute != NULL )
{
//
// Set the MS-CHAP-MPPE-Keys with NDISWAN
//
LCPCB * pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
DWORD AP;
DWORD APData = 0;
AP = ( fAuthenticator ? pLcpCb->Local.Work.AP :
pLcpCb->Remote.Work.AP );
if ( AP == PPP_CHAP_PROTOCOL )
{
APData = ( fAuthenticator ? *(pLcpCb->Local.Work.pAPData) :
*(pLcpCb->Remote.Work.pAPData) );
}
dwRetCode = SetMsChapMppeKeys( pPcb->hPort,
pAttribute,
pChallenge,
pResponse,
AP,
APData
);
if ( NO_ERROR != dwRetCode )
{
return( dwRetCode );
}
PppLog( 1,"MS-CHAP-MPPE-Keys set" );
pPcb->fFlags |= PCBFLAG_MPPE_KEYS_SET;
}
pAttributeSendKey = RasAuthAttributeGetVendorSpecific( 311, 16,
pUserAttributes );
pAttributeRecvKey = RasAuthAttributeGetVendorSpecific( 311, 17,
pUserAttributes );
if ( ( pAttributeSendKey != NULL )
&& ( pAttributeRecvKey != NULL ) )
{
//
// Set the MS-MPPE-Send-Key and MS-MPPE-Recv-Key with NDISWAN
//
dwRetCode = SetMsMppeSendRecvKeys( pPcb->hPort,
pAttributeSendKey,
pAttributeRecvKey
);
if ( NO_ERROR != dwRetCode )
{
return( dwRetCode );
}
PppLog( 1,"MPPE-Send/Recv-Keys set" );
pPcb->fFlags |= PCBFLAG_MPPE_KEYS_SET;
}
}
//
// Check if L2tp is being used
//
if ( fL2tp )
{
DWORD dwMask = 0;
DWORD dwSize = sizeof(DWORD);
DWORD dwConfigMask;
dwRetCode = RasGetPortUserData( pPcb->hPort, PORT_IPSEC_INFO_INDEX,
(BYTE*) &dwMask, &dwSize );
if ( NO_ERROR != dwRetCode )
{
PppLog( 1, "RasGetPortUserData failed: 0x%x", dwRetCode );
dwRetCode = NO_ERROR;
}
PppLog( 1, "Checking encryption. Policy=0x%x,Types=0x%x,Mask=0x%x",
dwEncryptionPolicy, dwEncryptionTypes, dwMask );
if ( dwMask == RASMAN_IPSEC_ESP_DES )
{
pPcb->pBcb->fFlags |= BCBFLAG_BASIC_ENCRYPTION;
}
else if ( dwMask == RASMAN_IPSEC_ESP_3_DES )
{
pPcb->pBcb->fFlags |= BCBFLAG_STRONGEST_ENCRYPTION;
}
if ( !fAuthenticator )
{
//
// If the user requires maximum encryption (3DES), but we
// negotiated weaker encryption (56-bit DES), then return an error.
//
dwConfigMask = pPcb->ConfigInfo.dwConfigMask;
if ( ( dwConfigMask & PPPCFG_RequireStrongEncryption )
&& !( dwConfigMask & PPPCFG_RequireEncryption )
&& !( dwConfigMask & PPPCFG_DisableEncryption )
&& ( dwMask != RASMAN_IPSEC_ESP_3_DES ) )
{
return( ERROR_NO_REMOTE_ENCRYPTION );
}
//
// We are done with the PPPCFG_Require*Encryption flags. Let us now
// turn them off because we don't care what kind of encryption CCP
// negotiates.
//
pPcb->ConfigInfo.dwConfigMask &= ~PPPCFG_RequireStrongEncryption;
pPcb->ConfigInfo.dwConfigMask &= ~PPPCFG_RequireEncryption;
}
else if ( dwEncryptionPolicy != 0 )
{
BOOL fPolicyError = FALSE;
//
// There is an encryption policy
//
switch ( dwMask )
{
case 0:
if ( ( dwEncryptionPolicy == 2 )
&& ( dwEncryptionTypes != 0 ) )
{
fPolicyError = TRUE;
break;
}
break;
case RASMAN_IPSEC_ESP_DES:
if ( !( dwEncryptionTypes & 0x00000002 )
&& !( dwEncryptionTypes & 0x00000008 ) )
{
fPolicyError = TRUE;
break;
}
break;
case RASMAN_IPSEC_ESP_3_DES:
if (!( dwEncryptionTypes & 0x00000004 ) )
{
fPolicyError = TRUE;
break;
}
break;
}
if ( fPolicyError )
{
//
// We need to send an Accounting Stop if RADIUS sends an Access
// Accept but we still drop the line.
//
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
return( ERROR_NO_REMOTE_ENCRYPTION );
}
}
}
//
// If we require encryption make sure we have the keys and that CCP is
// loaded.
//
if ( pPcb->ConfigInfo.dwConfigMask & ( PPPCFG_RequireEncryption |
PPPCFG_RequireStrongEncryption ) )
{
if ( !( pPcb->fFlags & PCBFLAG_MPPE_KEYS_SET )
|| ( GetCpIndexFromProtocol( PPP_CCP_PROTOCOL ) == -1 ) )
{
//
// We need to send an Accounting Stop if RADIUS sends an Access
// Accept but we still drop the line.
//
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
return( ERROR_NO_LOCAL_ENCRYPTION );
}
}
//
// If we are not the authenticator then there is nothing more to set
//
if ( !fAuthenticator )
{
return( NO_ERROR );
}
//
// Check framed protocol attribute. It must be PPP.
//
pAttribute = RasAuthAttributeGet( raatFramedProtocol, pUserAttributes );
if ( pAttribute != NULL )
{
if ( PtrToUlong(pAttribute->Value) != 1 )
{
//
// We need to send an Accounting Stop if RADIUS sends an Access
// Accept but we still drop the line.
//
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
return( ERROR_UNKNOWN_FRAMED_PROTOCOL );
}
}
//
// Check tunnel type attribute. It must be correct.
//
pAttribute = RasAuthAttributeGet( raatTunnelType, pUserAttributes );
if ( pAttribute != NULL )
{
DWORD dwTunnelType = PtrToUlong(pAttribute->Value);
if ( ( fL2tp && ( dwTunnelType != 3 ) )
|| ( fPptp && ( dwTunnelType != 1 ) ) )
{
//
// We need to send an Accounting Stop if RADIUS sends an Access
// Accept but we still drop the line.
//
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
return( ERROR_WRONG_TUNNEL_TYPE );
}
}
//
// Get the logon domain attribute
//
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 10, pUserAttributes );
if ( pAttribute != NULL )
{
DWORD cbDomain = sizeof( pPcb->pBcb->szRemoteDomain ) - 1;
if ( ( pAttribute->dwLength - 7 ) < cbDomain )
{
cbDomain = pAttribute->dwLength - 7;
}
ZeroMemory( pPcb->pBcb->szRemoteDomain,
sizeof( pPcb->pBcb->szRemoteDomain ) );
CopyMemory( pPcb->pBcb->szRemoteDomain,
(LPSTR)((PBYTE)(pAttribute->Value)+7),
cbDomain );
PppLog( 2, "Auth Attribute Domain = %s", pPcb->pBcb->szRemoteDomain);
}
//
// Setup callback information, default is no callback
//
pPcb->fCallbackPrivilege = RASPRIV_NoCallback;
pPcb->szCallbackNumber[0] = (CHAR)NULL;
pAttribute = RasAuthAttributeGet( raatServiceType, pUserAttributes );
if ( pAttribute != NULL )
{
if ( PtrToUlong(pAttribute->Value) == 4 )
{
//
// If service type is callback framed
//
pAttribute=RasAuthAttributeGet(raatCallbackNumber,pUserAttributes);
if ( ( pAttribute == NULL ) || ( pAttribute->dwLength == 0 ) )
{
pPcb->fCallbackPrivilege = RASPRIV_NoCallback |
RASPRIV_CallerSetCallback;
pPcb->szCallbackNumber[0] = (CHAR)NULL;
PppLog(2,"Auth Attribute Caller Specifiable callback");
}
else
{
pPcb->fCallbackPrivilege = RASPRIV_AdminSetCallback;
ZeroMemory(pPcb->szCallbackNumber,
sizeof(pPcb->szCallbackNumber));
CopyMemory( pPcb->szCallbackNumber,
pAttribute->Value,
pAttribute->dwLength );
PppLog( 2, "Auth Attribute Forced callback to %s",
pPcb->szCallbackNumber );
//
// Don't accept BAP Call-Requests. Otherwise, when the client
// calls us, we will drop the line and callback. The first call
// would be a waste.
//
pPcb->pBcb->fFlags &= ~BCBFLAG_CAN_ACCEPT_CALLS;
}
}
else if ( PtrToUlong(pAttribute->Value) != 2 )
{
PppLog( 2, "Service Type %d is not of type Framed",
PtrToUlong(pAttribute->Value) );
//
// We need to send an Accounting Stop if RADIUS sends an Access
// Accept but we still drop the line.
//
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
return( ERROR_UNKNOWN_SERVICE_TYPE );
}
}
if ( ( pPcb->fCallbackPrivilege & RASPRIV_CallerSetCallback )
|| ( pPcb->fCallbackPrivilege & RASPRIV_AdminSetCallback ) )
{
pPcb->pBcb->fFlags |= BCBFLAG_CAN_CALL;
}
//
// Use idle-timeout value if we got one.
//
pAttribute = RasAuthAttributeGet( raatIdleTimeout, pUserAttributes );
if ( pAttribute != NULL )
{
pPcb->dwAutoDisconnectTime = PtrToUlong(pAttribute->Value);
}
else
{
pPcb->dwAutoDisconnectTime = PppConfigInfo.dwDefaulIdleTimeout;
}
PppLog( 2, "Auth Attribute Idle Timeout Seconds = %d",
pPcb->dwAutoDisconnectTime );
//
// Use MaxChannels value if we got one.
//
pAttribute = RasAuthAttributeGet( raatPortLimit, pUserAttributes );
if ( pAttribute != NULL )
{
if ( PtrToUlong(pAttribute->Value) > 0 )
{
pPcb->pBcb->dwMaxLinksAllowed = PtrToUlong(pAttribute->Value);
}
else
{
pPcb->pBcb->dwMaxLinksAllowed = PppConfigInfo.dwDefaultPortLimit;
}
}
else
{
pPcb->pBcb->dwMaxLinksAllowed = PppConfigInfo.dwDefaultPortLimit;
}
PppLog( 2, "AuthAttribute MaxChannelsAllowed = %d",
pPcb->pBcb->dwMaxLinksAllowed );
//
// See if BAP is required
//
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 13, pUserAttributes );
if ( pAttribute != NULL )
{
if ( WireToHostFormat32( (PBYTE)(pAttribute->Value)+6 ) == 2 )
{
PppLog( 2, "AuthAttribute BAPRequired" );
pPcb->pBcb->fFlags |= BCBFLAG_BAP_REQUIRED;
}
}
//
// For the server never send a request bring up the line
//
pPcb->pBcb->BapParams.dwDialExtraPercent = 100;
pPcb->pBcb->BapParams.dwDialExtraSampleSeconds = 100;
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 14, pUserAttributes );
if ( ( pAttribute != NULL ) && ( pAttribute->dwLength == 10 ) )
{
pPcb->pBcb->BapParams.dwHangUpExtraPercent =
WireToHostFormat32( ((BYTE *)(pAttribute->Value))+6 );
PppLog( 2, "AuthAttribute BAPLineDownLimit = %d",
pPcb->pBcb->BapParams.dwHangUpExtraPercent );
}
else
{
pPcb->pBcb->BapParams.dwHangUpExtraPercent =
PppConfigInfo.dwHangupExtraPercent;
}
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 15, pUserAttributes );
if ( ( pAttribute != NULL ) && ( pAttribute->dwLength == 10 ) )
{
pPcb->pBcb->BapParams.dwHangUpExtraSampleSeconds =
WireToHostFormat32( ((BYTE *)(pAttribute->Value))+6 );
PppLog( 2, "AuthAttribute BAPLineDownTime = %d",
pPcb->pBcb->BapParams.dwHangUpExtraSampleSeconds );
}
else
{
pPcb->pBcb->BapParams.dwHangUpExtraSampleSeconds =
PppConfigInfo.dwHangUpExtraSampleSeconds;
}
return( NO_ERROR );
}
//**
//
// Call: RasAuthenticateUserWorker
//
// Returns: None.
//
// Description:
//
VOID
RasAuthenticateUserWorker(
PVOID pContext
)
{
PCB_WORK_ITEM * pWorkItem = (PCB_WORK_ITEM *)pContext;
pWorkItem->PppMsg.AuthInfo.dwError =
(*PppConfigInfo.RasAuthProviderAuthenticateUser)(
pWorkItem->PppMsg.AuthInfo.pInAttributes,
&(pWorkItem->PppMsg.AuthInfo.pOutAttributes),
&(pWorkItem->PppMsg.AuthInfo.dwResultCode) );
RasAuthAttributeDestroy( pWorkItem->PppMsg.AuthInfo.pInAttributes );
InsertWorkItemInQ( pWorkItem );
}
//**
//
// Call: RasAuthenticateClient
//
// Returns: NO_ERROR - Success
// Non-zero returns - Failure
//
// Description:
//
DWORD
RasAuthenticateClient(
IN HPORT hPort,
IN RAS_AUTH_ATTRIBUTE * pInAttributes
)
{
PCB * pPcb = GetPCBPointerFromhPort( hPort );
LCPCB * pLcpCb = NULL;
PCB_WORK_ITEM * pWorkItem = NULL;
DWORD dwRetCode = NO_ERROR;
if ( pPcb == NULL )
{
RasAuthAttributeDestroy( pInAttributes );
return( ERROR_INVALID_PORT_HANDLE );
}
pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
pWorkItem = (PCB_WORK_ITEM *)LOCAL_ALLOC( LPTR, sizeof(PCB_WORK_ITEM) );
if ( pWorkItem == (PCB_WORK_ITEM *)NULL )
{
LogPPPEvent( ROUTERLOG_NOT_ENOUGH_MEMORY, GetLastError() );
RasAuthAttributeDestroy( pInAttributes );
return( GetLastError() );
}
pWorkItem->hPort = hPort;
pWorkItem->dwPortId = pPcb->dwPortId;
pWorkItem->Protocol = pLcpCb->Local.Work.AP;
pWorkItem->PppMsg.AuthInfo.pInAttributes = pInAttributes;
pWorkItem->PppMsg.AuthInfo.dwId = GetUId( pPcb, LCP_INDEX );
pWorkItem->Process = ProcessAuthInfo;
pPcb->dwOutstandingAuthRequestId = pWorkItem->PppMsg.AuthInfo.dwId;
dwRetCode = RtlNtStatusToDosError( RtlQueueWorkItem( RasAuthenticateUserWorker,
pWorkItem,
WT_EXECUTEDEFAULT ) );
if ( dwRetCode != NO_ERROR )
{
RasAuthAttributeDestroy( pInAttributes );
LOCAL_FREE( pWorkItem );
}
return( dwRetCode );
}
//**
//
// Call: RemoteError
//
// Returns: DWORD - Remote version of this error
//
// Description: Called by a client authenticating the server.
//
DWORD
RemoteError(
IN DWORD dwError
)
{
switch( dwError )
{
case ERROR_NO_DIALIN_PERMISSION:
return( ERROR_REMOTE_NO_DIALIN_PERMISSION );
case ERROR_PASSWD_EXPIRED:
return( ERROR_REMOTE_PASSWD_EXPIRED );
case ERROR_ACCT_DISABLED:
return( ERROR_REMOTE_ACCT_DISABLED );
case ERROR_RESTRICTED_LOGON_HOURS:
return( ERROR_REMOTE_RESTRICTED_LOGON_HOURS );
case ERROR_AUTHENTICATION_FAILURE:
return( ERROR_REMOTE_AUTHENTICATION_FAILURE );
case ERROR_REQ_NOT_ACCEP:
return( ERROR_LICENSE_QUOTA_EXCEEDED );
default:
return( dwError );
}
}
//**
//
// Call: ApIsAuthenticatorPacket
//
// Returns: TRUE - Packet belongs to authenticator
// FALSE - Otherwise
//
// Description: Called to figure out whether to send the auth packet to the
// authenticator or authenticatee.
//
BOOL
ApIsAuthenticatorPacket(
IN DWORD CpIndex,
IN BYTE bConfigCode
)
{
switch( CpTable[CpIndex].CpInfo.Protocol )
{
case PPP_PAP_PROTOCOL:
switch( bConfigCode )
{
case 1:
return( TRUE );
default:
return( FALSE );
}
break;
case PPP_CHAP_PROTOCOL:
switch( bConfigCode )
{
case 2:
case 5:
case 6:
case 7:
return( TRUE );
default:
return( FALSE );
}
break;
case PPP_SPAP_NEW_PROTOCOL:
switch( bConfigCode )
{
case 1:
case 6:
return( TRUE );
default:
return( FALSE );
}
break;
case PPP_EAP_PROTOCOL:
switch( bConfigCode )
{
case 2:
return( TRUE );
default:
return( FALSE );
}
break;
default:
PPP_ASSERT( FALSE );
}
PPP_ASSERT( FALSE );
return( FALSE );
}
//**
//
// Call: ApStart
//
// Returns: TRUE - Success
// FALSE - Otherwise
//
// Description: Called to initiatialze the authetication protocol and to
// initiate to authentication.
//
BOOL
ApStart(
IN PCB * pPcb,
IN DWORD CpIndex,
IN BOOL fAuthenticator
)
{
DWORD dwRetCode;
PPPAP_INPUT PppApInput;
LCPCB * pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
CPCB * pCpCb = ( fAuthenticator )
? &(pPcb->AuthenticatorCb)
: &(pPcb->AuthenticateeCb);
pCpCb->fConfigurable = TRUE;
pCpCb->State = FSM_INITIAL;
pCpCb->Protocol = CpTable[CpIndex].CpInfo.Protocol;
pCpCb->LastId = (DWORD)-1;
InitRestartCounters( pPcb, pCpCb );
ZeroMemory( &PppApInput, sizeof( PppApInput ) );
PppApInput.hPort = pPcb->hPort;
PppApInput.fServer = fAuthenticator;
PppApInput.fRouter = ( ROUTER_IF_TYPE_FULL_ROUTER ==
pPcb->pBcb->InterfaceInfo.IfType );
PppApInput.Luid = pPcb->Luid;
PppApInput.dwEapTypeToBeUsed = pPcb->dwEapTypeToBeUsed;
PppApInput.hTokenImpersonateUser = pPcb->pBcb->hTokenImpersonateUser;
PppApInput.pCustomAuthConnData = pPcb->pBcb->pCustomAuthConnData;
PppApInput.pCustomAuthUserData = pPcb->pBcb->pCustomAuthUserData;
PppApInput.EapUIData = pPcb->pBcb->EapUIData;
PppApInput.fLogon = ( pPcb->pBcb->fFlags &
BCBFLAG_LOGON_USER_DATA );
PppApInput.fNonInteractive = ( pPcb->fFlags &
PCBFLAG_NON_INTERACTIVE );
PppApInput.fConfigInfo = pPcb->ConfigInfo.dwConfigMask;
if ( fAuthenticator )
{
PppApInput.dwRetries = pPcb->dwAuthRetries;
PppApInput.pAPData = pLcpCb->Local.Work.pAPData;
PppApInput.APDataSize = pLcpCb->Local.Work.APDataSize;
PppApInput.pUserAttributes = pPcb->pUserAttributes;
ZeroMemory( &pPcb->pBcb->szRemoteUserName,
sizeof( pPcb->pBcb->szRemoteUserName ) );
}
else
{
//
// If we are a server and we do not know who is dialing in and therefore
// do not have credentials to use for being authenticated by the
// remote peer, then we wait till we do.
//
if ( pPcb->fFlags & PCBFLAG_IS_SERVER )
{
if ( strlen( pPcb->pBcb->szRemoteUserName ) == 0 )
{
PppLog(1,"Remote user not identifiable at this time, waiting");
return( FALSE );
}
//
// Ok we know who is dialed in so get credentials to used for this
// connection.
//
dwRetCode = GetCredentialsFromInterface( pPcb );
if ( dwRetCode != NO_ERROR )
{
//
// We do not have credentials to use for this user so we
// renegotiate LCP and do not accept the authentication option
//
PppLog( 1, "No credentials available to use for user=%s",
pPcb->pBcb->szRemoteUserName );
FsmDown( pPcb, LCP_INDEX );
pLcpCb->Remote.WillNegotiate &= (~LCP_N_AUTHENT);
FsmUp( pPcb, LCP_INDEX );
return( FALSE );
}
}
//
// Decode the password
//
DecodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szPassword );
DecodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szOldPassword );
PppApInput.pszUserName = pPcb->pBcb->szLocalUserName;
PppApInput.pszPassword = pPcb->pBcb->szPassword;
PppApInput.pszDomain = pPcb->pBcb->szLocalDomain;
PppApInput.pszOldPassword = pPcb->pBcb->szOldPassword;
PppApInput.pAPData = pLcpCb->Remote.Work.pAPData;
PppApInput.APDataSize = pLcpCb->Remote.Work.APDataSize;
PppApInput.dwInitialPacketId = (DWORD)GetUId( pPcb, CpIndex );
if ( CpTable[CpIndex].CpInfo.Protocol == PPP_EAP_PROTOCOL )
{
PppApInput.fPortWillBeBundled = WillPortBeBundled( pPcb );
PppApInput.fThisIsACallback =
( pPcb->fFlags & PCBFLAG_THIS_IS_A_CALLBACK );
}
}
dwRetCode = (CpTable[CpIndex].CpInfo.RasCpBegin)(&(pCpCb->pWorkBuf),
&PppApInput );
if ( !fAuthenticator )
{
//
// Encode the password back
//
EncodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szPassword );
EncodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szOldPassword );
}
if ( dwRetCode != NO_ERROR )
{
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, dwRetCode );
return( FALSE );
}
PppLog(1,"Calling APWork in APStart");
ApWork( pPcb, CpIndex, NULL, NULL, fAuthenticator );
return( TRUE );
}
//**
//
// Call: ApStop
//
// Returns: none
//
// Description: Called to stop the authentication machine.
//
VOID
ApStop(
IN PCB * pPcb,
IN DWORD CpIndex,
IN BOOL fAuthenticator
)
{
CPCB * pCpCb = ( fAuthenticator )
? &(pPcb->AuthenticatorCb)
: &(pPcb->AuthenticateeCb);
if ( pCpCb->pWorkBuf == NULL )
{
return;
}
pCpCb->Protocol = 0;
pCpCb->fConfigurable = FALSE;
if ( pCpCb->LastId != (DWORD)-1 )
{
RemoveFromTimerQ(
pPcb->dwPortId,
pCpCb->LastId,
CpTable[CpIndex].CpInfo.Protocol,
fAuthenticator,
TIMER_EVENT_TIMEOUT );
}
(CpTable[CpIndex].CpInfo.RasCpEnd)( pCpCb->pWorkBuf );
pCpCb->pWorkBuf = NULL;
}
//**
//
// Call: ApWork
//
// Returns: none
//
// Description: Called when and authentication packet was received or
// a timeout occurred or to initiate authentication.
//
VOID
ApWork(
IN PCB * pPcb,
IN DWORD CpIndex,
IN PPP_CONFIG * pRecvConfig,
IN PPPAP_INPUT * pApInput,
IN BOOL fAuthenticator
)
{
DWORD dwRetCode;
DWORD dwLength;
PPPAP_RESULT ApResult;
PPP_CONFIG * pSendConfig = (PPP_CONFIG*)(pPcb->pSendBuf->Information);
LCPCB * pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
CPCB * pCpCb = ( fAuthenticator )
? &(pPcb->AuthenticatorCb)
: &(pPcb->AuthenticateeCb);
//
// If the protocol has not been started yet, call ApStart
//
if ( pCpCb->pWorkBuf == NULL )
{
if ( !ApStart( pPcb, CpIndex, fAuthenticator ) )
{
return;
}
}
ZeroMemory( &ApResult, sizeof(ApResult) );
dwRetCode = (CpTable[CpIndex].CpInfo.RasApMakeMessage)(
pCpCb->pWorkBuf,
pRecvConfig,
pSendConfig,
((pLcpCb->Remote.Work.MRU > LCP_DEFAULT_MRU)
? LCP_DEFAULT_MRU : pLcpCb->Remote.Work.MRU)
- PPP_PACKET_HDR_LEN,
&ApResult,
pApInput );
if ( NULL != ApResult.szReplyMessage )
{
LocalFree( pPcb->pBcb->szReplyMessage );
pPcb->pBcb->szReplyMessage = ApResult.szReplyMessage;
}
if ( dwRetCode != NO_ERROR )
{
switch( dwRetCode )
{
case ERROR_PPP_INVALID_PACKET:
PppLog( 1, "Silently discarding invalid auth packet on port %d",
pPcb->hPort );
break;
default:
pPcb->LcpCb.dwError = dwRetCode;
PppLog( 1, "Auth Protocol %x returned error %d",
CpTable[CpIndex].CpInfo.Protocol, dwRetCode );
if ( fAuthenticator )
{
//
// Get the username from the CP if it supplies one.
//
if ( strlen( ApResult.szUserName ) > 0 )
{
strcpy( pPcb->pBcb->szRemoteUserName, ApResult.szUserName );
}
}
NotifyCallerOfFailure( pPcb, dwRetCode );
break;
}
return;
}
//
// Check to see if we have to save any user data
//
if ( ( !fAuthenticator ) && ( ApResult.fSaveUserData ) )
{
dwRetCode = RasSetEapUserDataA(
pPcb->pBcb->hTokenImpersonateUser,
pPcb->pBcb->szPhonebookPath,
pPcb->pBcb->szEntryName,
ApResult.pUserData,
ApResult.dwSizeOfUserData );
PppLog( 2, "Saved EAP data for user, dwRetCode = %d", dwRetCode );
}
//
// Check to see if we have to save any connection data
//
if ( ( !fAuthenticator ) && ( ApResult.fSaveConnectionData ) &&
( 0 != ApResult.SetCustomAuthData.dwSizeOfConnectionData ) )
{
NotifyCaller( pPcb, PPPMSG_SetCustomAuthData,
&(ApResult.SetCustomAuthData) );
PppLog( 2, "Saved EAP data for connection" );
}
switch( ApResult.Action )
{
case APA_Send:
case APA_SendWithTimeout:
case APA_SendWithTimeout2:
case APA_SendAndDone:
HostToWireFormat16( (WORD)CpTable[CpIndex].CpInfo.Protocol,
(PBYTE)(pPcb->pSendBuf->Protocol) );
dwLength = WireToHostFormat16( pSendConfig->Length );
LogPPPPacket(FALSE,pPcb,pPcb->pSendBuf,dwLength+PPP_PACKET_HDR_LEN);
if ( ( dwRetCode = PortSendOrDisconnect( pPcb,
(dwLength + PPP_PACKET_HDR_LEN)))
!= NO_ERROR )
{
return;
}
pCpCb->LastId = (DWORD)-1;
if ( ( ApResult.Action == APA_SendWithTimeout ) ||
( ApResult.Action == APA_SendWithTimeout2 ) )
{
pCpCb->LastId = ApResult.bIdExpected;
InsertInTimerQ( pPcb->dwPortId,
pPcb->hPort,
pCpCb->LastId,
CpTable[CpIndex].CpInfo.Protocol,
fAuthenticator,
TIMER_EVENT_TIMEOUT,
pPcb->RestartTimer );
//
// For SendWithTimeout2 we increment the ConfigRetryCount. This
// means send with infinite retry count
//
if ( ApResult.Action == APA_SendWithTimeout2 )
{
(pCpCb->ConfigRetryCount)++;
}
}
if ( ApResult.Action != APA_SendAndDone )
{
break;
}
case APA_Done:
switch( ApResult.dwError )
{
case NO_ERROR:
//
// If authentication was successful
//
if ( CpTable[CpIndex].CpInfo.Protocol == PPP_EAP_PROTOCOL )
{
if ( fAuthenticator )
{
pPcb->dwServerEapTypeId = ApResult.dwEapTypeId;
}
else
{
VOID *pCredentials = NULL;
pPcb->dwClientEapTypeId = ApResult.dwEapTypeId;
//
// Call the eap dll to collect credentials here
// so that they can be passed to rasman to be
// saved in the cred manager.
//
if( (NO_ERROR == EapGetCredentials(pCpCb->pWorkBuf,
&pCredentials))
&& (NULL != pCredentials))
{
//
// Below call is not fatal.
//
(void) RasSetPortUserData(
pPcb->hPort,
PORT_CREDENTIALS_INDEX,
pCredentials,
sizeof(RASMAN_CREDENTIALS));
ZeroMemory(pCredentials,
sizeof(RASMAN_CREDENTIALS));
LocalFree(pCredentials);
}
}
}
if ( fAuthenticator )
{
RAS_AUTH_ATTRIBUTE * pAttribute;
RAS_AUTH_ATTRIBUTE * pUserAttributes = NULL;
if ( NULL != pPcb->pBcb->szRemoteIdentity )
{
LOCAL_FREE( pPcb->pBcb->szRemoteIdentity );
pPcb->pBcb->szRemoteIdentity = NULL;
}
pPcb->pBcb->szRemoteIdentity =
LOCAL_ALLOC( LPTR, strlen( ApResult.szUserName ) + 1 );
if ( NULL == pPcb->pBcb->szRemoteIdentity )
{
dwRetCode = GetLastError();
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, dwRetCode );
return;
}
strcpy( pPcb->pBcb->szRemoteIdentity, ApResult.szUserName );
dwRetCode = ExtractUsernameAndDomain(
ApResult.szUserName,
pPcb->pBcb->szRemoteUserName,
NULL );
if ( dwRetCode != NO_ERROR )
{
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, dwRetCode );
return;
}
if ( 0 == pPcb->pBcb->szLocalUserName[0] )
{
if ( NO_ERROR != GetCredentialsFromInterface( pPcb ) )
{
pPcb->pBcb->szLocalUserName[0] =
pPcb->pBcb->szPassword[0] =
pPcb->pBcb->szLocalDomain[0] = 0;
}
}
if ( ApResult.pUserAttributes != NULL )
{
pPcb->pAuthProtocolAttributes = ApResult.pUserAttributes;
pUserAttributes = ApResult.pUserAttributes;
}
else
{
pUserAttributes = pPcb->pAuthenticatorAttributes;
}
//
// Set all the user connection parameters authorized by the
// back-end authenticator
//
dwRetCode = SetUserAuthorizedAttributes(
pPcb,
pUserAttributes,
fAuthenticator,
(BYTE*)&(ApResult.abChallenge),
(BYTE*)&(ApResult.abResponse));
if ( dwRetCode != NO_ERROR )
{
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, dwRetCode );
return;
}
//
// If we are a server and we negotiated to be authenticated
// by the remote peer we can do so now that we know who
// is dialed in.
//
if ( ( pLcpCb->Remote.Work.AP != 0 ) &&
( pPcb->AuthenticateeCb.pWorkBuf == NULL ) &&
( pPcb->AuthenticateeCb.fConfigurable ) &&
( pPcb->fFlags & PCBFLAG_IS_SERVER ) )
{
CpIndex = GetCpIndexFromProtocol( pLcpCb->Remote.Work.AP );
PPP_ASSERT(( CpIndex != (DWORD)-1 ));
if ( !ApStart( pPcb, CpIndex, FALSE ) )
{
return;
}
}
}
else
{
//
// Get the username from the CP if it supplies one.
//
if ( ( strlen( pPcb->pBcb->szLocalUserName ) == 0 )
&& ( strlen( ApResult.szUserName ) > 0 ) )
{
strcpy( pPcb->pBcb->szLocalUserName, ApResult.szUserName );
}
dwRetCode = SetUserAuthorizedAttributes(
pPcb,
ApResult.pUserAttributes,
fAuthenticator,
(BYTE*)&(ApResult.abChallenge),
(BYTE*)&(ApResult.abResponse));
if ( dwRetCode != NO_ERROR )
{
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, dwRetCode );
return;
}
pPcb->pAuthProtocolAttributes = ApResult.pUserAttributes;
}
pCpCb->State = FSM_OPENED;
FsmThisLayerUp( pPcb, CpIndex );
break;
case ERROR_PASSWD_EXPIRED:
if ( pPcb->fFlags & PCBFLAG_IS_SERVER )
{
//
// We are a server and hence in non-interactive mode and
// hence we cannot do this.
//
pPcb->LcpCb.dwError = ApResult.dwError;
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
return;
}
else
{
//
// Password has expired so the user has to change his/her
// password.
//
NotifyCaller( pPcb, PPPMSG_ChangePwRequest, NULL );
}
break;
default:
//
// If we can retry with a new password then tell the client to
// get a new one from the user.
//
if ( (!fAuthenticator) && ( ApResult.fRetry ))
{
if ( pPcb->fFlags & PCBFLAG_IS_SERVER )
{
//
// We are a server and hence in non-interactive mode and
// hence we cannot do this.
//
pPcb->LcpCb.dwError = ApResult.dwError;
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
return;
}
else
{
PppLog( 2, "Sending auth retry message to UI" );
NotifyCaller( pPcb, PPPMSG_AuthRetry, &(ApResult.dwError) );
}
}
else
{
PppLog( 1, "Auth Protocol %x terminated with error %d",
CpTable[CpIndex].CpInfo.Protocol, ApResult.dwError );
if ( ApResult.szUserName[0] != (CHAR)NULL )
{
strcpy( pPcb->pBcb->szRemoteUserName, ApResult.szUserName );
}
if ( !( pPcb->fFlags & PCBFLAG_IS_SERVER ) &&
( fAuthenticator) )
{
pPcb->LcpCb.dwError = RemoteError( ApResult.dwError );
}
else
{
pPcb->LcpCb.dwError = ApResult.dwError;
}
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
return;
}
break;
}
break;
case APA_Authenticate:
if ( fAuthenticator )
{
DWORD dwIndex = 0;
DWORD dwExtraAttributes = 0;
DWORD dwNumUserAttributes = 0;
RAS_AUTH_ATTRIBUTE * pUserAttributes = NULL;
for ( dwNumUserAttributes = 0;
pPcb->pUserAttributes[dwNumUserAttributes].raaType
!= raatMinimum;
dwNumUserAttributes++ );
if ( CpTable[CpIndex].CpInfo.Protocol == PPP_EAP_PROTOCOL )
{
//
// One more for Framed-MTU
//
dwExtraAttributes = 1;
}
pUserAttributes = RasAuthAttributeCopyWithAlloc(
ApResult.pUserAttributes,
dwNumUserAttributes + dwExtraAttributes );
if ( pUserAttributes == NULL )
{
dwRetCode = GetLastError();
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
return;
}
if ( dwExtraAttributes )
{
ULONG mru = (pLcpCb->Remote.Work.MRU > LCP_DEFAULT_MRU) ?
LCP_DEFAULT_MRU : pLcpCb->Remote.Work.MRU;
//
// Insert the Framed-MTU attribute at the start.
//
dwRetCode = RasAuthAttributeInsert(
0,
pUserAttributes,
raatFramedMTU,
FALSE,
4,
(LPVOID)
( UlongToPtr(mru)) );
if ( dwRetCode != NO_ERROR )
{
RasAuthAttributeDestroy( pUserAttributes );
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
return;
}
}
//
// Insert the extra (user) attributes at the start. Attributes
// returned by the auth protocol follow.
//
for ( dwIndex = 0; dwIndex < dwNumUserAttributes; dwIndex++ )
{
dwRetCode = RasAuthAttributeInsert(
dwIndex + dwExtraAttributes,
pUserAttributes,
pPcb->pUserAttributes[dwIndex].raaType,
FALSE,
pPcb->pUserAttributes[dwIndex].dwLength,
pPcb->pUserAttributes[dwIndex].Value );
if ( dwRetCode != NO_ERROR )
{
RasAuthAttributeDestroy( pUserAttributes );
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
return;
}
}
dwRetCode = RasAuthenticateClient( pPcb->hPort, pUserAttributes );
if ( dwRetCode != NO_ERROR )
{
pPcb->LcpCb.dwError = dwRetCode;
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
return;
}
}
break;
case APA_NoAction:
break;
default:
break;
}
//
// Check to see if we have to bring up the UI for EAP
//
if ( ( !fAuthenticator ) && ( ApResult.fInvokeEapUI ) )
{
NotifyCaller(pPcb, PPPMSG_InvokeEapUI, &(ApResult.InvokeEapUIData));
}
}