1762 lines
50 KiB
C
1762 lines
50 KiB
C
/********************************************************************/
|
||
/** Copyright(c) 1989 Microsoft Corporation. **/
|
||
/********************************************************************/
|
||
|
||
//***
|
||
//
|
||
// Filename: auth.c
|
||
//
|
||
// Description: Contains FSM code to handle and authentication protocols.
|
||
//
|
||
// History:
|
||
// Nov 11,1993. NarenG Created original version.
|
||
// Jan 09,1995 RamC Save Lsa hToken in the PCB structure
|
||
// This will be closed
|
||
// in ProcessLineDownWorker() routine
|
||
// to release the RAS license.
|
||
|
||
#include <nt.h>
|
||
#include <ntrtl.h>
|
||
#include <nturtl.h> // needed for winbase.h
|
||
|
||
#include <windows.h> // Win32 base API's
|
||
#include <stdlib.h>
|
||
#include <string.h>
|
||
#include <wchar.h>
|
||
|
||
#include <lmcons.h>
|
||
#include <raserror.h>
|
||
#include <rasman.h>
|
||
#include <rtutils.h>
|
||
#include <mprlog.h>
|
||
#include <mprerror.h>
|
||
#include <rasppp.h>
|
||
#include <pppcp.h>
|
||
#include <ppp.h>
|
||
#include <auth.h>
|
||
#include <smevents.h>
|
||
#include <smaction.h>
|
||
#include <lcp.h>
|
||
#include <timer.h>
|
||
#include <util.h>
|
||
#include <worker.h>
|
||
#define INCL_RASAUTHATTRIBUTES
|
||
#define INCL_MISC
|
||
#include <ppputil.h>
|
||
|
||
DWORD
|
||
EapGetCredentials(
|
||
VOID *pWorkBuf,
|
||
VOID *ppCredentials);
|
||
|
||
|
||
//**
|
||
//
|
||
// Call: SetMsChapMppeKeys
|
||
//
|
||
// Returns: NO_ERROR - Success
|
||
// Non-zero returns - Failure
|
||
//
|
||
// Description: Set the MS-CHAP-MPPE-Keys with NDISWAN
|
||
//
|
||
DWORD
|
||
SetMsChapMppeKeys(
|
||
IN HPORT hPort,
|
||
IN RAS_AUTH_ATTRIBUTE * pAttribute,
|
||
IN BYTE * pChallenge,
|
||
IN BYTE * pResponse,
|
||
IN DWORD AP,
|
||
IN DWORD APData
|
||
)
|
||
{
|
||
RAS_COMPRESSION_INFO rciSend;
|
||
RAS_COMPRESSION_INFO rciReceive;
|
||
DWORD dwRetCode = NO_ERROR;
|
||
|
||
ASSERT( 8 == sizeof( rciSend.RCI_LMSessionKey ) );
|
||
|
||
ASSERT( 16 == sizeof( rciSend.RCI_UserSessionKey ) );
|
||
|
||
//
|
||
// Length of key is 8 (LM key) + 16 (NT key)
|
||
//
|
||
|
||
if ( pAttribute->dwLength < ( 6 + 8 + 16 ) )
|
||
{
|
||
return( ERROR_INVALID_PARAMETER );
|
||
}
|
||
|
||
ZeroMemory( &rciSend, sizeof( rciSend ) );
|
||
rciSend.RCI_MacCompressionType = 0xFF;
|
||
|
||
CopyMemory( rciSend.RCI_LMSessionKey,
|
||
((PBYTE)(pAttribute->Value))+6,
|
||
8 );
|
||
|
||
CopyMemory( rciSend.RCI_UserSessionKey,
|
||
((PBYTE)(pAttribute->Value))+6+8,
|
||
16 );
|
||
|
||
CopyMemory( rciSend.RCI_Challenge, pChallenge, 8 );
|
||
|
||
CopyMemory( rciSend.RCI_NTResponse, pResponse, 24 );
|
||
|
||
rciSend.RCI_Flags = CCP_SET_KEYS;
|
||
|
||
ZeroMemory( &rciReceive, sizeof( rciReceive ) );
|
||
|
||
rciReceive.RCI_MacCompressionType = 0xFF;
|
||
|
||
CopyMemory( rciReceive.RCI_LMSessionKey,
|
||
((PBYTE)(pAttribute->Value))+6,
|
||
8 );
|
||
|
||
CopyMemory( rciReceive.RCI_UserSessionKey,
|
||
((PBYTE)(pAttribute->Value))+6+8,
|
||
16 );
|
||
|
||
CopyMemory( rciReceive.RCI_Challenge, pChallenge, 8 );
|
||
|
||
CopyMemory( rciReceive.RCI_NTResponse, pResponse, 24 );
|
||
|
||
rciReceive.RCI_Flags = CCP_SET_KEYS;
|
||
|
||
rciSend.RCI_AuthType = AUTH_USE_MSCHAPV2;
|
||
rciReceive.RCI_AuthType = AUTH_USE_MSCHAPV2;
|
||
|
||
if ( ( AP == PPP_CHAP_PROTOCOL ) &&
|
||
( APData == PPP_CHAP_DIGEST_MSEXT ))
|
||
{
|
||
rciSend.RCI_AuthType = AUTH_USE_MSCHAPV1;
|
||
rciReceive.RCI_AuthType = AUTH_USE_MSCHAPV1;
|
||
}
|
||
|
||
dwRetCode = RasCompressionSetInfo(hPort,&rciSend,&rciReceive);
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
PppLog( 1,"RasCompressionSetInfo failed, Error=%d", dwRetCode );
|
||
}
|
||
|
||
return( dwRetCode );
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: SetMsMppeSendRecvKeys
|
||
//
|
||
// Returns: NO_ERROR - Success
|
||
// Non-zero returns - Failure
|
||
//
|
||
// Description: Set the MS-MPPE-Send-Key and MS-MPPE-Recv-Key with NDISWAN
|
||
//
|
||
DWORD
|
||
SetMsMppeSendRecvKeys(
|
||
IN HPORT hPort,
|
||
IN RAS_AUTH_ATTRIBUTE * pAttributeSendKey,
|
||
IN RAS_AUTH_ATTRIBUTE * pAttributeRecvKey
|
||
)
|
||
{
|
||
RAS_COMPRESSION_INFO rciSend;
|
||
RAS_COMPRESSION_INFO rciRecv;
|
||
DWORD dwRetCode = NO_ERROR;
|
||
|
||
//
|
||
// 4: for Vendor-Id.
|
||
//
|
||
// The Microsoft Vendor-specific RADIUS Attributes draft says that
|
||
// Vendor-Length should be > 4.
|
||
//
|
||
|
||
if ( pAttributeSendKey->dwLength <= ( 4 + 4 ) )
|
||
{
|
||
return( ERROR_INVALID_PARAMETER );
|
||
}
|
||
|
||
ZeroMemory( &rciSend, sizeof( rciSend ) );
|
||
|
||
rciSend.RCI_MacCompressionType = 0xFF;
|
||
|
||
rciSend.RCI_EapKeyLength = *(((BYTE*)(pAttributeSendKey->Value))+8);
|
||
|
||
CopyMemory( rciSend.RCI_EapKey,
|
||
((BYTE*)(pAttributeSendKey->Value))+9,
|
||
rciSend.RCI_EapKeyLength );
|
||
|
||
rciSend.RCI_Flags = CCP_SET_KEYS;
|
||
rciSend.RCI_AuthType = AUTH_USE_EAP;
|
||
|
||
if ( pAttributeRecvKey->dwLength <= ( 4 + 4 ) )
|
||
{
|
||
return( ERROR_INVALID_PARAMETER );
|
||
}
|
||
|
||
ZeroMemory( &rciRecv, sizeof( rciRecv ) );
|
||
|
||
rciRecv.RCI_MacCompressionType = 0xFF;
|
||
|
||
rciRecv.RCI_EapKeyLength = *(((BYTE*)(pAttributeRecvKey->Value))+8);
|
||
|
||
CopyMemory( rciRecv.RCI_EapKey,
|
||
((BYTE*)(pAttributeRecvKey->Value))+9,
|
||
rciRecv.RCI_EapKeyLength );
|
||
|
||
rciRecv.RCI_Flags = CCP_SET_KEYS;
|
||
rciRecv.RCI_AuthType = AUTH_USE_EAP;
|
||
|
||
dwRetCode = RasCompressionSetInfo(hPort,&rciSend,&rciRecv);
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
PppLog( 1,"RasCompressionSetInfo failed, Error=%d", dwRetCode );
|
||
}
|
||
|
||
return( dwRetCode );
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: SetUserAuthorizedAttributes
|
||
//
|
||
// Returns: NO_ERROR - Success
|
||
// Non-zero returns - Failure
|
||
//
|
||
// Description:
|
||
//
|
||
DWORD
|
||
SetUserAuthorizedAttributes(
|
||
IN PCB * pPcb,
|
||
IN RAS_AUTH_ATTRIBUTE * pUserAttributes,
|
||
IN BOOL fAuthenticator,
|
||
IN BYTE * pChallenge,
|
||
IN BYTE * pResponse
|
||
)
|
||
{
|
||
RAS_AUTH_ATTRIBUTE * pAttribute;
|
||
RAS_AUTH_ATTRIBUTE * pAttributeSendKey;
|
||
RAS_AUTH_ATTRIBUTE * pAttributeRecvKey;
|
||
DWORD dwRetCode;
|
||
DWORD dwEncryptionPolicy = 0;
|
||
DWORD dwEncryptionTypes = 0;
|
||
BOOL fL2tp = FALSE;
|
||
BOOL fPptp = FALSE;
|
||
|
||
CreateAccountingAttributes( pPcb );
|
||
|
||
if ( RAS_DEVICE_TYPE( pPcb->dwDeviceType ) == RDT_Tunnel_L2tp )
|
||
{
|
||
fL2tp = TRUE;
|
||
}
|
||
|
||
if ( RAS_DEVICE_TYPE( pPcb->dwDeviceType ) == RDT_Tunnel_Pptp )
|
||
{
|
||
fPptp = TRUE;
|
||
}
|
||
|
||
//
|
||
// Find out if we are to require encrypted data using MPPE
|
||
//
|
||
|
||
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 7, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
dwEncryptionPolicy
|
||
= WireToHostFormat32(((BYTE*)(pAttribute->Value))+6);
|
||
|
||
pAttribute = RasAuthAttributeGetVendorSpecific( 311,
|
||
8,
|
||
pUserAttributes );
|
||
if ( pAttribute != NULL )
|
||
{
|
||
dwEncryptionTypes
|
||
= WireToHostFormat32(((BYTE*)(pAttribute->Value))+6);
|
||
|
||
if ( dwEncryptionPolicy == 2 )
|
||
{
|
||
if (!fL2tp)
|
||
{
|
||
//
|
||
// Find out what types of encryption are to be required
|
||
//
|
||
|
||
if ( ( dwEncryptionTypes & 0x00000002 )
|
||
|| ( dwEncryptionTypes & 0x00000008 ) )
|
||
{
|
||
pPcb->ConfigInfo.dwConfigMask
|
||
|= PPPCFG_RequireEncryption;
|
||
PppLog( 1,"Encryption" );
|
||
}
|
||
|
||
if ( dwEncryptionTypes & 0x00000004 )
|
||
{
|
||
pPcb->ConfigInfo.dwConfigMask
|
||
|= PPPCFG_RequireStrongEncryption;
|
||
PppLog( 1,"Strong encryption" );
|
||
}
|
||
|
||
if ( dwEncryptionTypes == 0 )
|
||
{
|
||
pPcb->ConfigInfo.dwConfigMask
|
||
|= PPPCFG_DisableEncryption;
|
||
PppLog( 1,"Encryption is not allowed" );
|
||
}
|
||
}
|
||
}
|
||
else if ( dwEncryptionPolicy == 1 )
|
||
{
|
||
//
|
||
// Find out what types of encryption are to be allowed
|
||
//
|
||
|
||
if ( !fL2tp && !dwEncryptionTypes )
|
||
{
|
||
pPcb->ConfigInfo.dwConfigMask |= PPPCFG_DisableEncryption;
|
||
PppLog( 1,"Encryption is not allowed" );
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
//
|
||
// Set encryption keys if we got them, provided we have not already done so
|
||
//
|
||
|
||
if ( !( pPcb->fFlags & PCBFLAG_MPPE_KEYS_SET ) )
|
||
{
|
||
pAttribute = RasAuthAttributeGetVendorSpecific(
|
||
311, 12, pUserAttributes);
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
//
|
||
// Set the MS-CHAP-MPPE-Keys with NDISWAN
|
||
//
|
||
|
||
LCPCB * pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
|
||
DWORD AP;
|
||
DWORD APData = 0;
|
||
|
||
AP = ( fAuthenticator ? pLcpCb->Local.Work.AP :
|
||
pLcpCb->Remote.Work.AP );
|
||
|
||
if ( AP == PPP_CHAP_PROTOCOL )
|
||
{
|
||
APData = ( fAuthenticator ? *(pLcpCb->Local.Work.pAPData) :
|
||
*(pLcpCb->Remote.Work.pAPData) );
|
||
}
|
||
|
||
dwRetCode = SetMsChapMppeKeys( pPcb->hPort,
|
||
pAttribute,
|
||
pChallenge,
|
||
pResponse,
|
||
AP,
|
||
APData
|
||
);
|
||
|
||
if ( NO_ERROR != dwRetCode )
|
||
{
|
||
return( dwRetCode );
|
||
}
|
||
|
||
PppLog( 1,"MS-CHAP-MPPE-Keys set" );
|
||
|
||
pPcb->fFlags |= PCBFLAG_MPPE_KEYS_SET;
|
||
}
|
||
|
||
pAttributeSendKey = RasAuthAttributeGetVendorSpecific( 311, 16,
|
||
pUserAttributes );
|
||
pAttributeRecvKey = RasAuthAttributeGetVendorSpecific( 311, 17,
|
||
pUserAttributes );
|
||
|
||
if ( ( pAttributeSendKey != NULL )
|
||
&& ( pAttributeRecvKey != NULL ) )
|
||
{
|
||
//
|
||
// Set the MS-MPPE-Send-Key and MS-MPPE-Recv-Key with NDISWAN
|
||
//
|
||
|
||
dwRetCode = SetMsMppeSendRecvKeys( pPcb->hPort,
|
||
pAttributeSendKey,
|
||
pAttributeRecvKey
|
||
);
|
||
|
||
if ( NO_ERROR != dwRetCode )
|
||
{
|
||
return( dwRetCode );
|
||
}
|
||
|
||
PppLog( 1,"MPPE-Send/Recv-Keys set" );
|
||
|
||
pPcb->fFlags |= PCBFLAG_MPPE_KEYS_SET;
|
||
}
|
||
}
|
||
|
||
//
|
||
// Check if L2tp is being used
|
||
//
|
||
|
||
if ( fL2tp )
|
||
{
|
||
DWORD dwMask = 0;
|
||
DWORD dwSize = sizeof(DWORD);
|
||
DWORD dwConfigMask;
|
||
|
||
dwRetCode = RasGetPortUserData( pPcb->hPort, PORT_IPSEC_INFO_INDEX,
|
||
(BYTE*) &dwMask, &dwSize );
|
||
|
||
if ( NO_ERROR != dwRetCode )
|
||
{
|
||
PppLog( 1, "RasGetPortUserData failed: 0x%x", dwRetCode );
|
||
|
||
dwRetCode = NO_ERROR;
|
||
}
|
||
|
||
PppLog( 1, "Checking encryption. Policy=0x%x,Types=0x%x,Mask=0x%x",
|
||
dwEncryptionPolicy, dwEncryptionTypes, dwMask );
|
||
|
||
if ( dwMask == RASMAN_IPSEC_ESP_DES )
|
||
{
|
||
pPcb->pBcb->fFlags |= BCBFLAG_BASIC_ENCRYPTION;
|
||
}
|
||
else if ( dwMask == RASMAN_IPSEC_ESP_3_DES )
|
||
{
|
||
pPcb->pBcb->fFlags |= BCBFLAG_STRONGEST_ENCRYPTION;
|
||
}
|
||
|
||
if ( !fAuthenticator )
|
||
{
|
||
//
|
||
// If the user requires maximum encryption (3DES), but we
|
||
// negotiated weaker encryption (56-bit DES), then return an error.
|
||
//
|
||
|
||
dwConfigMask = pPcb->ConfigInfo.dwConfigMask;
|
||
|
||
if ( ( dwConfigMask & PPPCFG_RequireStrongEncryption )
|
||
&& !( dwConfigMask & PPPCFG_RequireEncryption )
|
||
&& !( dwConfigMask & PPPCFG_DisableEncryption )
|
||
&& ( dwMask != RASMAN_IPSEC_ESP_3_DES ) )
|
||
{
|
||
return( ERROR_NO_REMOTE_ENCRYPTION );
|
||
}
|
||
|
||
//
|
||
// We are done with the PPPCFG_Require*Encryption flags. Let us now
|
||
// turn them off because we don't care what kind of encryption CCP
|
||
// negotiates.
|
||
//
|
||
|
||
pPcb->ConfigInfo.dwConfigMask &= ~PPPCFG_RequireStrongEncryption;
|
||
pPcb->ConfigInfo.dwConfigMask &= ~PPPCFG_RequireEncryption;
|
||
}
|
||
else if ( dwEncryptionPolicy != 0 )
|
||
{
|
||
BOOL fPolicyError = FALSE;
|
||
|
||
//
|
||
// There is an encryption policy
|
||
//
|
||
|
||
switch ( dwMask )
|
||
{
|
||
case 0:
|
||
|
||
if ( ( dwEncryptionPolicy == 2 )
|
||
&& ( dwEncryptionTypes != 0 ) )
|
||
{
|
||
fPolicyError = TRUE;
|
||
break;
|
||
}
|
||
|
||
break;
|
||
|
||
case RASMAN_IPSEC_ESP_DES:
|
||
|
||
if ( !( dwEncryptionTypes & 0x00000002 )
|
||
&& !( dwEncryptionTypes & 0x00000008 ) )
|
||
{
|
||
fPolicyError = TRUE;
|
||
break;
|
||
}
|
||
|
||
break;
|
||
|
||
case RASMAN_IPSEC_ESP_3_DES:
|
||
|
||
if (!( dwEncryptionTypes & 0x00000004 ) )
|
||
{
|
||
fPolicyError = TRUE;
|
||
break;
|
||
}
|
||
|
||
break;
|
||
}
|
||
|
||
if ( fPolicyError )
|
||
{
|
||
//
|
||
// We need to send an Accounting Stop if RADIUS sends an Access
|
||
// Accept but we still drop the line.
|
||
//
|
||
|
||
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
|
||
|
||
return( ERROR_NO_REMOTE_ENCRYPTION );
|
||
}
|
||
}
|
||
}
|
||
|
||
//
|
||
// If we require encryption make sure we have the keys and that CCP is
|
||
// loaded.
|
||
//
|
||
|
||
if ( pPcb->ConfigInfo.dwConfigMask & ( PPPCFG_RequireEncryption |
|
||
PPPCFG_RequireStrongEncryption ) )
|
||
{
|
||
if ( !( pPcb->fFlags & PCBFLAG_MPPE_KEYS_SET )
|
||
|| ( GetCpIndexFromProtocol( PPP_CCP_PROTOCOL ) == -1 ) )
|
||
{
|
||
//
|
||
// We need to send an Accounting Stop if RADIUS sends an Access
|
||
// Accept but we still drop the line.
|
||
//
|
||
|
||
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
|
||
|
||
return( ERROR_NO_LOCAL_ENCRYPTION );
|
||
}
|
||
}
|
||
|
||
//
|
||
// If we are not the authenticator then there is nothing more to set
|
||
//
|
||
|
||
if ( !fAuthenticator )
|
||
{
|
||
return( NO_ERROR );
|
||
}
|
||
|
||
//
|
||
// Check framed protocol attribute. It must be PPP.
|
||
//
|
||
|
||
pAttribute = RasAuthAttributeGet( raatFramedProtocol, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
if ( PtrToUlong(pAttribute->Value) != 1 )
|
||
{
|
||
//
|
||
// We need to send an Accounting Stop if RADIUS sends an Access
|
||
// Accept but we still drop the line.
|
||
//
|
||
|
||
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
|
||
|
||
return( ERROR_UNKNOWN_FRAMED_PROTOCOL );
|
||
}
|
||
}
|
||
|
||
//
|
||
// Check tunnel type attribute. It must be correct.
|
||
//
|
||
|
||
pAttribute = RasAuthAttributeGet( raatTunnelType, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
DWORD dwTunnelType = PtrToUlong(pAttribute->Value);
|
||
|
||
if ( ( fL2tp && ( dwTunnelType != 3 ) )
|
||
|| ( fPptp && ( dwTunnelType != 1 ) ) )
|
||
{
|
||
//
|
||
// We need to send an Accounting Stop if RADIUS sends an Access
|
||
// Accept but we still drop the line.
|
||
//
|
||
|
||
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
|
||
|
||
return( ERROR_WRONG_TUNNEL_TYPE );
|
||
}
|
||
}
|
||
|
||
//
|
||
// Get the logon domain attribute
|
||
//
|
||
|
||
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 10, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
DWORD cbDomain = sizeof( pPcb->pBcb->szRemoteDomain ) - 1;
|
||
|
||
if ( ( pAttribute->dwLength - 7 ) < cbDomain )
|
||
{
|
||
cbDomain = pAttribute->dwLength - 7;
|
||
}
|
||
|
||
ZeroMemory( pPcb->pBcb->szRemoteDomain,
|
||
sizeof( pPcb->pBcb->szRemoteDomain ) );
|
||
|
||
CopyMemory( pPcb->pBcb->szRemoteDomain,
|
||
(LPSTR)((PBYTE)(pAttribute->Value)+7),
|
||
cbDomain );
|
||
|
||
PppLog( 2, "Auth Attribute Domain = %s", pPcb->pBcb->szRemoteDomain);
|
||
}
|
||
|
||
//
|
||
// Setup callback information, default is no callback
|
||
//
|
||
|
||
pPcb->fCallbackPrivilege = RASPRIV_NoCallback;
|
||
pPcb->szCallbackNumber[0] = (CHAR)NULL;
|
||
|
||
pAttribute = RasAuthAttributeGet( raatServiceType, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
if ( PtrToUlong(pAttribute->Value) == 4 )
|
||
{
|
||
//
|
||
// If service type is callback framed
|
||
//
|
||
|
||
pAttribute=RasAuthAttributeGet(raatCallbackNumber,pUserAttributes);
|
||
|
||
if ( ( pAttribute == NULL ) || ( pAttribute->dwLength == 0 ) )
|
||
{
|
||
pPcb->fCallbackPrivilege = RASPRIV_NoCallback |
|
||
RASPRIV_CallerSetCallback;
|
||
|
||
pPcb->szCallbackNumber[0] = (CHAR)NULL;
|
||
|
||
PppLog(2,"Auth Attribute Caller Specifiable callback");
|
||
}
|
||
else
|
||
{
|
||
pPcb->fCallbackPrivilege = RASPRIV_AdminSetCallback;
|
||
|
||
ZeroMemory(pPcb->szCallbackNumber,
|
||
sizeof(pPcb->szCallbackNumber));
|
||
|
||
CopyMemory( pPcb->szCallbackNumber,
|
||
pAttribute->Value,
|
||
pAttribute->dwLength );
|
||
|
||
PppLog( 2, "Auth Attribute Forced callback to %s",
|
||
pPcb->szCallbackNumber );
|
||
|
||
//
|
||
// Don't accept BAP Call-Requests. Otherwise, when the client
|
||
// calls us, we will drop the line and callback. The first call
|
||
// would be a waste.
|
||
//
|
||
|
||
pPcb->pBcb->fFlags &= ~BCBFLAG_CAN_ACCEPT_CALLS;
|
||
}
|
||
}
|
||
else if ( PtrToUlong(pAttribute->Value) != 2 )
|
||
{
|
||
PppLog( 2, "Service Type %d is not of type Framed",
|
||
PtrToUlong(pAttribute->Value) );
|
||
|
||
//
|
||
// We need to send an Accounting Stop if RADIUS sends an Access
|
||
// Accept but we still drop the line.
|
||
//
|
||
|
||
pPcb->fFlags |= PCBFLAG_SERVICE_UNAVAILABLE;
|
||
|
||
return( ERROR_UNKNOWN_SERVICE_TYPE );
|
||
}
|
||
}
|
||
|
||
if ( ( pPcb->fCallbackPrivilege & RASPRIV_CallerSetCallback )
|
||
|| ( pPcb->fCallbackPrivilege & RASPRIV_AdminSetCallback ) )
|
||
{
|
||
pPcb->pBcb->fFlags |= BCBFLAG_CAN_CALL;
|
||
}
|
||
|
||
//
|
||
// Use idle-timeout value if we got one.
|
||
//
|
||
|
||
pAttribute = RasAuthAttributeGet( raatIdleTimeout, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
pPcb->dwAutoDisconnectTime = PtrToUlong(pAttribute->Value);
|
||
|
||
}
|
||
else
|
||
{
|
||
pPcb->dwAutoDisconnectTime = PppConfigInfo.dwDefaulIdleTimeout;
|
||
}
|
||
|
||
PppLog( 2, "Auth Attribute Idle Timeout Seconds = %d",
|
||
pPcb->dwAutoDisconnectTime );
|
||
|
||
//
|
||
// Use MaxChannels value if we got one.
|
||
//
|
||
|
||
pAttribute = RasAuthAttributeGet( raatPortLimit, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
if ( PtrToUlong(pAttribute->Value) > 0 )
|
||
{
|
||
pPcb->pBcb->dwMaxLinksAllowed = PtrToUlong(pAttribute->Value);
|
||
}
|
||
else
|
||
{
|
||
pPcb->pBcb->dwMaxLinksAllowed = PppConfigInfo.dwDefaultPortLimit;
|
||
}
|
||
}
|
||
else
|
||
{
|
||
pPcb->pBcb->dwMaxLinksAllowed = PppConfigInfo.dwDefaultPortLimit;
|
||
}
|
||
|
||
PppLog( 2, "AuthAttribute MaxChannelsAllowed = %d",
|
||
pPcb->pBcb->dwMaxLinksAllowed );
|
||
|
||
//
|
||
// See if BAP is required
|
||
//
|
||
|
||
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 13, pUserAttributes );
|
||
|
||
if ( pAttribute != NULL )
|
||
{
|
||
if ( WireToHostFormat32( (PBYTE)(pAttribute->Value)+6 ) == 2 )
|
||
{
|
||
PppLog( 2, "AuthAttribute BAPRequired" );
|
||
|
||
pPcb->pBcb->fFlags |= BCBFLAG_BAP_REQUIRED;
|
||
}
|
||
}
|
||
|
||
//
|
||
// For the server never send a request bring up the line
|
||
//
|
||
|
||
pPcb->pBcb->BapParams.dwDialExtraPercent = 100;
|
||
pPcb->pBcb->BapParams.dwDialExtraSampleSeconds = 100;
|
||
|
||
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 14, pUserAttributes );
|
||
|
||
if ( ( pAttribute != NULL ) && ( pAttribute->dwLength == 10 ) )
|
||
{
|
||
pPcb->pBcb->BapParams.dwHangUpExtraPercent =
|
||
WireToHostFormat32( ((BYTE *)(pAttribute->Value))+6 );
|
||
|
||
PppLog( 2, "AuthAttribute BAPLineDownLimit = %d",
|
||
pPcb->pBcb->BapParams.dwHangUpExtraPercent );
|
||
}
|
||
else
|
||
{
|
||
pPcb->pBcb->BapParams.dwHangUpExtraPercent =
|
||
PppConfigInfo.dwHangupExtraPercent;
|
||
}
|
||
|
||
pAttribute = RasAuthAttributeGetVendorSpecific( 311, 15, pUserAttributes );
|
||
|
||
if ( ( pAttribute != NULL ) && ( pAttribute->dwLength == 10 ) )
|
||
{
|
||
pPcb->pBcb->BapParams.dwHangUpExtraSampleSeconds =
|
||
WireToHostFormat32( ((BYTE *)(pAttribute->Value))+6 );
|
||
|
||
PppLog( 2, "AuthAttribute BAPLineDownTime = %d",
|
||
pPcb->pBcb->BapParams.dwHangUpExtraSampleSeconds );
|
||
}
|
||
else
|
||
{
|
||
pPcb->pBcb->BapParams.dwHangUpExtraSampleSeconds =
|
||
PppConfigInfo.dwHangUpExtraSampleSeconds;
|
||
}
|
||
|
||
return( NO_ERROR );
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: RasAuthenticateUserWorker
|
||
//
|
||
// Returns: None.
|
||
//
|
||
// Description:
|
||
//
|
||
VOID
|
||
RasAuthenticateUserWorker(
|
||
PVOID pContext
|
||
)
|
||
{
|
||
PCB_WORK_ITEM * pWorkItem = (PCB_WORK_ITEM *)pContext;
|
||
|
||
pWorkItem->PppMsg.AuthInfo.dwError =
|
||
(*PppConfigInfo.RasAuthProviderAuthenticateUser)(
|
||
pWorkItem->PppMsg.AuthInfo.pInAttributes,
|
||
&(pWorkItem->PppMsg.AuthInfo.pOutAttributes),
|
||
&(pWorkItem->PppMsg.AuthInfo.dwResultCode) );
|
||
|
||
RasAuthAttributeDestroy( pWorkItem->PppMsg.AuthInfo.pInAttributes );
|
||
|
||
InsertWorkItemInQ( pWorkItem );
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: RasAuthenticateClient
|
||
//
|
||
// Returns: NO_ERROR - Success
|
||
// Non-zero returns - Failure
|
||
//
|
||
// Description:
|
||
//
|
||
DWORD
|
||
RasAuthenticateClient(
|
||
IN HPORT hPort,
|
||
IN RAS_AUTH_ATTRIBUTE * pInAttributes
|
||
)
|
||
{
|
||
PCB * pPcb = GetPCBPointerFromhPort( hPort );
|
||
LCPCB * pLcpCb = NULL;
|
||
PCB_WORK_ITEM * pWorkItem = NULL;
|
||
DWORD dwRetCode = NO_ERROR;
|
||
|
||
if ( pPcb == NULL )
|
||
{
|
||
RasAuthAttributeDestroy( pInAttributes );
|
||
|
||
return( ERROR_INVALID_PORT_HANDLE );
|
||
}
|
||
|
||
pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
|
||
|
||
pWorkItem = (PCB_WORK_ITEM *)LOCAL_ALLOC( LPTR, sizeof(PCB_WORK_ITEM) );
|
||
|
||
if ( pWorkItem == (PCB_WORK_ITEM *)NULL )
|
||
{
|
||
LogPPPEvent( ROUTERLOG_NOT_ENOUGH_MEMORY, GetLastError() );
|
||
|
||
RasAuthAttributeDestroy( pInAttributes );
|
||
|
||
return( GetLastError() );
|
||
}
|
||
|
||
pWorkItem->hPort = hPort;
|
||
pWorkItem->dwPortId = pPcb->dwPortId;
|
||
pWorkItem->Protocol = pLcpCb->Local.Work.AP;
|
||
pWorkItem->PppMsg.AuthInfo.pInAttributes = pInAttributes;
|
||
pWorkItem->PppMsg.AuthInfo.dwId = GetUId( pPcb, LCP_INDEX );
|
||
pWorkItem->Process = ProcessAuthInfo;
|
||
|
||
pPcb->dwOutstandingAuthRequestId = pWorkItem->PppMsg.AuthInfo.dwId;
|
||
|
||
dwRetCode = RtlNtStatusToDosError( RtlQueueWorkItem( RasAuthenticateUserWorker,
|
||
pWorkItem,
|
||
WT_EXECUTEDEFAULT ) );
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
RasAuthAttributeDestroy( pInAttributes );
|
||
|
||
LOCAL_FREE( pWorkItem );
|
||
}
|
||
|
||
return( dwRetCode );
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: RemoteError
|
||
//
|
||
// Returns: DWORD - Remote version of this error
|
||
//
|
||
// Description: Called by a client authenticating the server.
|
||
//
|
||
DWORD
|
||
RemoteError(
|
||
IN DWORD dwError
|
||
)
|
||
{
|
||
switch( dwError )
|
||
{
|
||
case ERROR_NO_DIALIN_PERMISSION:
|
||
return( ERROR_REMOTE_NO_DIALIN_PERMISSION );
|
||
|
||
case ERROR_PASSWD_EXPIRED:
|
||
return( ERROR_REMOTE_PASSWD_EXPIRED );
|
||
|
||
case ERROR_ACCT_DISABLED:
|
||
return( ERROR_REMOTE_ACCT_DISABLED );
|
||
|
||
case ERROR_RESTRICTED_LOGON_HOURS:
|
||
return( ERROR_REMOTE_RESTRICTED_LOGON_HOURS );
|
||
|
||
case ERROR_AUTHENTICATION_FAILURE:
|
||
return( ERROR_REMOTE_AUTHENTICATION_FAILURE );
|
||
|
||
case ERROR_REQ_NOT_ACCEP:
|
||
return( ERROR_LICENSE_QUOTA_EXCEEDED );
|
||
|
||
default:
|
||
return( dwError );
|
||
}
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: ApIsAuthenticatorPacket
|
||
//
|
||
// Returns: TRUE - Packet belongs to authenticator
|
||
// FALSE - Otherwise
|
||
//
|
||
// Description: Called to figure out whether to send the auth packet to the
|
||
// authenticator or authenticatee.
|
||
//
|
||
BOOL
|
||
ApIsAuthenticatorPacket(
|
||
IN DWORD CpIndex,
|
||
IN BYTE bConfigCode
|
||
)
|
||
{
|
||
switch( CpTable[CpIndex].CpInfo.Protocol )
|
||
{
|
||
case PPP_PAP_PROTOCOL:
|
||
|
||
switch( bConfigCode )
|
||
{
|
||
case 1:
|
||
return( TRUE );
|
||
default:
|
||
return( FALSE );
|
||
}
|
||
break;
|
||
|
||
case PPP_CHAP_PROTOCOL:
|
||
|
||
switch( bConfigCode )
|
||
{
|
||
case 2:
|
||
case 5:
|
||
case 6:
|
||
case 7:
|
||
return( TRUE );
|
||
default:
|
||
return( FALSE );
|
||
}
|
||
break;
|
||
|
||
case PPP_SPAP_NEW_PROTOCOL:
|
||
|
||
switch( bConfigCode )
|
||
{
|
||
case 1:
|
||
case 6:
|
||
return( TRUE );
|
||
default:
|
||
return( FALSE );
|
||
}
|
||
|
||
break;
|
||
|
||
case PPP_EAP_PROTOCOL:
|
||
|
||
switch( bConfigCode )
|
||
{
|
||
case 2:
|
||
return( TRUE );
|
||
default:
|
||
return( FALSE );
|
||
}
|
||
|
||
break;
|
||
|
||
default:
|
||
PPP_ASSERT( FALSE );
|
||
}
|
||
|
||
PPP_ASSERT( FALSE );
|
||
|
||
return( FALSE );
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: ApStart
|
||
//
|
||
// Returns: TRUE - Success
|
||
// FALSE - Otherwise
|
||
//
|
||
// Description: Called to initiatialze the authetication protocol and to
|
||
// initiate to authentication.
|
||
//
|
||
BOOL
|
||
ApStart(
|
||
IN PCB * pPcb,
|
||
IN DWORD CpIndex,
|
||
IN BOOL fAuthenticator
|
||
)
|
||
{
|
||
DWORD dwRetCode;
|
||
PPPAP_INPUT PppApInput;
|
||
LCPCB * pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
|
||
CPCB * pCpCb = ( fAuthenticator )
|
||
? &(pPcb->AuthenticatorCb)
|
||
: &(pPcb->AuthenticateeCb);
|
||
|
||
pCpCb->fConfigurable = TRUE;
|
||
pCpCb->State = FSM_INITIAL;
|
||
pCpCb->Protocol = CpTable[CpIndex].CpInfo.Protocol;
|
||
pCpCb->LastId = (DWORD)-1;
|
||
InitRestartCounters( pPcb, pCpCb );
|
||
|
||
ZeroMemory( &PppApInput, sizeof( PppApInput ) );
|
||
|
||
PppApInput.hPort = pPcb->hPort;
|
||
PppApInput.fServer = fAuthenticator;
|
||
PppApInput.fRouter = ( ROUTER_IF_TYPE_FULL_ROUTER ==
|
||
pPcb->pBcb->InterfaceInfo.IfType );
|
||
PppApInput.Luid = pPcb->Luid;
|
||
PppApInput.dwEapTypeToBeUsed = pPcb->dwEapTypeToBeUsed;
|
||
PppApInput.hTokenImpersonateUser = pPcb->pBcb->hTokenImpersonateUser;
|
||
PppApInput.pCustomAuthConnData = pPcb->pBcb->pCustomAuthConnData;
|
||
PppApInput.pCustomAuthUserData = pPcb->pBcb->pCustomAuthUserData;
|
||
PppApInput.EapUIData = pPcb->pBcb->EapUIData;
|
||
PppApInput.fLogon = ( pPcb->pBcb->fFlags &
|
||
BCBFLAG_LOGON_USER_DATA );
|
||
PppApInput.fNonInteractive = ( pPcb->fFlags &
|
||
PCBFLAG_NON_INTERACTIVE );
|
||
PppApInput.fConfigInfo = pPcb->ConfigInfo.dwConfigMask;
|
||
|
||
if ( fAuthenticator )
|
||
{
|
||
PppApInput.dwRetries = pPcb->dwAuthRetries;
|
||
PppApInput.pAPData = pLcpCb->Local.Work.pAPData;
|
||
PppApInput.APDataSize = pLcpCb->Local.Work.APDataSize;
|
||
PppApInput.pUserAttributes = pPcb->pUserAttributes;
|
||
|
||
ZeroMemory( &pPcb->pBcb->szRemoteUserName,
|
||
sizeof( pPcb->pBcb->szRemoteUserName ) );
|
||
}
|
||
else
|
||
{
|
||
//
|
||
// If we are a server and we do not know who is dialing in and therefore
|
||
// do not have credentials to use for being authenticated by the
|
||
// remote peer, then we wait till we do.
|
||
//
|
||
|
||
if ( pPcb->fFlags & PCBFLAG_IS_SERVER )
|
||
{
|
||
if ( strlen( pPcb->pBcb->szRemoteUserName ) == 0 )
|
||
{
|
||
PppLog(1,"Remote user not identifiable at this time, waiting");
|
||
|
||
return( FALSE );
|
||
}
|
||
|
||
//
|
||
// Ok we know who is dialed in so get credentials to used for this
|
||
// connection.
|
||
//
|
||
|
||
dwRetCode = GetCredentialsFromInterface( pPcb );
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
//
|
||
// We do not have credentials to use for this user so we
|
||
// renegotiate LCP and do not accept the authentication option
|
||
//
|
||
|
||
PppLog( 1, "No credentials available to use for user=%s",
|
||
pPcb->pBcb->szRemoteUserName );
|
||
|
||
FsmDown( pPcb, LCP_INDEX );
|
||
|
||
pLcpCb->Remote.WillNegotiate &= (~LCP_N_AUTHENT);
|
||
|
||
FsmUp( pPcb, LCP_INDEX );
|
||
|
||
return( FALSE );
|
||
}
|
||
}
|
||
|
||
//
|
||
// Decode the password
|
||
//
|
||
|
||
DecodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szPassword );
|
||
DecodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szOldPassword );
|
||
|
||
PppApInput.pszUserName = pPcb->pBcb->szLocalUserName;
|
||
PppApInput.pszPassword = pPcb->pBcb->szPassword;
|
||
PppApInput.pszDomain = pPcb->pBcb->szLocalDomain;
|
||
PppApInput.pszOldPassword = pPcb->pBcb->szOldPassword;
|
||
PppApInput.pAPData = pLcpCb->Remote.Work.pAPData;
|
||
PppApInput.APDataSize = pLcpCb->Remote.Work.APDataSize;
|
||
PppApInput.dwInitialPacketId = (DWORD)GetUId( pPcb, CpIndex );
|
||
|
||
if ( CpTable[CpIndex].CpInfo.Protocol == PPP_EAP_PROTOCOL )
|
||
{
|
||
PppApInput.fPortWillBeBundled = WillPortBeBundled( pPcb );
|
||
PppApInput.fThisIsACallback =
|
||
( pPcb->fFlags & PCBFLAG_THIS_IS_A_CALLBACK );
|
||
}
|
||
}
|
||
|
||
dwRetCode = (CpTable[CpIndex].CpInfo.RasCpBegin)(&(pCpCb->pWorkBuf),
|
||
&PppApInput );
|
||
|
||
if ( !fAuthenticator )
|
||
{
|
||
//
|
||
// Encode the password back
|
||
//
|
||
|
||
EncodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szPassword );
|
||
EncodePw( pPcb->pBcb->chSeed, pPcb->pBcb->szOldPassword );
|
||
}
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, dwRetCode );
|
||
|
||
return( FALSE );
|
||
}
|
||
PppLog(1,"Calling APWork in APStart");
|
||
ApWork( pPcb, CpIndex, NULL, NULL, fAuthenticator );
|
||
|
||
return( TRUE );
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: ApStop
|
||
//
|
||
// Returns: none
|
||
//
|
||
// Description: Called to stop the authentication machine.
|
||
//
|
||
VOID
|
||
ApStop(
|
||
IN PCB * pPcb,
|
||
IN DWORD CpIndex,
|
||
IN BOOL fAuthenticator
|
||
)
|
||
{
|
||
CPCB * pCpCb = ( fAuthenticator )
|
||
? &(pPcb->AuthenticatorCb)
|
||
: &(pPcb->AuthenticateeCb);
|
||
|
||
if ( pCpCb->pWorkBuf == NULL )
|
||
{
|
||
return;
|
||
}
|
||
|
||
pCpCb->Protocol = 0;
|
||
pCpCb->fConfigurable = FALSE;
|
||
|
||
|
||
if ( pCpCb->LastId != (DWORD)-1 )
|
||
{
|
||
RemoveFromTimerQ(
|
||
pPcb->dwPortId,
|
||
pCpCb->LastId,
|
||
CpTable[CpIndex].CpInfo.Protocol,
|
||
fAuthenticator,
|
||
TIMER_EVENT_TIMEOUT );
|
||
}
|
||
|
||
(CpTable[CpIndex].CpInfo.RasCpEnd)( pCpCb->pWorkBuf );
|
||
|
||
pCpCb->pWorkBuf = NULL;
|
||
}
|
||
|
||
//**
|
||
//
|
||
// Call: ApWork
|
||
//
|
||
// Returns: none
|
||
//
|
||
// Description: Called when and authentication packet was received or
|
||
// a timeout occurred or to initiate authentication.
|
||
//
|
||
VOID
|
||
ApWork(
|
||
IN PCB * pPcb,
|
||
IN DWORD CpIndex,
|
||
IN PPP_CONFIG * pRecvConfig,
|
||
IN PPPAP_INPUT * pApInput,
|
||
IN BOOL fAuthenticator
|
||
)
|
||
{
|
||
DWORD dwRetCode;
|
||
DWORD dwLength;
|
||
PPPAP_RESULT ApResult;
|
||
PPP_CONFIG * pSendConfig = (PPP_CONFIG*)(pPcb->pSendBuf->Information);
|
||
LCPCB * pLcpCb = (LCPCB*)(pPcb->LcpCb.pWorkBuf);
|
||
CPCB * pCpCb = ( fAuthenticator )
|
||
? &(pPcb->AuthenticatorCb)
|
||
: &(pPcb->AuthenticateeCb);
|
||
|
||
//
|
||
// If the protocol has not been started yet, call ApStart
|
||
//
|
||
|
||
if ( pCpCb->pWorkBuf == NULL )
|
||
{
|
||
if ( !ApStart( pPcb, CpIndex, fAuthenticator ) )
|
||
{
|
||
return;
|
||
}
|
||
}
|
||
|
||
ZeroMemory( &ApResult, sizeof(ApResult) );
|
||
|
||
dwRetCode = (CpTable[CpIndex].CpInfo.RasApMakeMessage)(
|
||
pCpCb->pWorkBuf,
|
||
pRecvConfig,
|
||
pSendConfig,
|
||
((pLcpCb->Remote.Work.MRU > LCP_DEFAULT_MRU)
|
||
? LCP_DEFAULT_MRU : pLcpCb->Remote.Work.MRU)
|
||
- PPP_PACKET_HDR_LEN,
|
||
&ApResult,
|
||
pApInput );
|
||
|
||
if ( NULL != ApResult.szReplyMessage )
|
||
{
|
||
LocalFree( pPcb->pBcb->szReplyMessage );
|
||
|
||
pPcb->pBcb->szReplyMessage = ApResult.szReplyMessage;
|
||
}
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
switch( dwRetCode )
|
||
{
|
||
case ERROR_PPP_INVALID_PACKET:
|
||
|
||
PppLog( 1, "Silently discarding invalid auth packet on port %d",
|
||
pPcb->hPort );
|
||
break;
|
||
|
||
default:
|
||
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
PppLog( 1, "Auth Protocol %x returned error %d",
|
||
CpTable[CpIndex].CpInfo.Protocol, dwRetCode );
|
||
|
||
if ( fAuthenticator )
|
||
{
|
||
//
|
||
// Get the username from the CP if it supplies one.
|
||
//
|
||
|
||
if ( strlen( ApResult.szUserName ) > 0 )
|
||
{
|
||
strcpy( pPcb->pBcb->szRemoteUserName, ApResult.szUserName );
|
||
}
|
||
}
|
||
|
||
NotifyCallerOfFailure( pPcb, dwRetCode );
|
||
|
||
break;
|
||
}
|
||
|
||
return;
|
||
}
|
||
|
||
//
|
||
// Check to see if we have to save any user data
|
||
//
|
||
|
||
if ( ( !fAuthenticator ) && ( ApResult.fSaveUserData ) )
|
||
{
|
||
dwRetCode = RasSetEapUserDataA(
|
||
pPcb->pBcb->hTokenImpersonateUser,
|
||
pPcb->pBcb->szPhonebookPath,
|
||
pPcb->pBcb->szEntryName,
|
||
ApResult.pUserData,
|
||
ApResult.dwSizeOfUserData );
|
||
|
||
PppLog( 2, "Saved EAP data for user, dwRetCode = %d", dwRetCode );
|
||
}
|
||
|
||
//
|
||
// Check to see if we have to save any connection data
|
||
//
|
||
|
||
if ( ( !fAuthenticator ) && ( ApResult.fSaveConnectionData ) &&
|
||
( 0 != ApResult.SetCustomAuthData.dwSizeOfConnectionData ) )
|
||
{
|
||
NotifyCaller( pPcb, PPPMSG_SetCustomAuthData,
|
||
&(ApResult.SetCustomAuthData) );
|
||
|
||
PppLog( 2, "Saved EAP data for connection" );
|
||
}
|
||
|
||
switch( ApResult.Action )
|
||
{
|
||
|
||
case APA_Send:
|
||
case APA_SendWithTimeout:
|
||
case APA_SendWithTimeout2:
|
||
case APA_SendAndDone:
|
||
|
||
HostToWireFormat16( (WORD)CpTable[CpIndex].CpInfo.Protocol,
|
||
(PBYTE)(pPcb->pSendBuf->Protocol) );
|
||
|
||
dwLength = WireToHostFormat16( pSendConfig->Length );
|
||
|
||
LogPPPPacket(FALSE,pPcb,pPcb->pSendBuf,dwLength+PPP_PACKET_HDR_LEN);
|
||
|
||
if ( ( dwRetCode = PortSendOrDisconnect( pPcb,
|
||
(dwLength + PPP_PACKET_HDR_LEN)))
|
||
!= NO_ERROR )
|
||
{
|
||
return;
|
||
}
|
||
|
||
pCpCb->LastId = (DWORD)-1;
|
||
|
||
if ( ( ApResult.Action == APA_SendWithTimeout ) ||
|
||
( ApResult.Action == APA_SendWithTimeout2 ) )
|
||
{
|
||
pCpCb->LastId = ApResult.bIdExpected;
|
||
|
||
InsertInTimerQ( pPcb->dwPortId,
|
||
pPcb->hPort,
|
||
pCpCb->LastId,
|
||
CpTable[CpIndex].CpInfo.Protocol,
|
||
fAuthenticator,
|
||
TIMER_EVENT_TIMEOUT,
|
||
pPcb->RestartTimer );
|
||
|
||
//
|
||
// For SendWithTimeout2 we increment the ConfigRetryCount. This
|
||
// means send with infinite retry count
|
||
//
|
||
|
||
if ( ApResult.Action == APA_SendWithTimeout2 )
|
||
{
|
||
(pCpCb->ConfigRetryCount)++;
|
||
}
|
||
}
|
||
|
||
if ( ApResult.Action != APA_SendAndDone )
|
||
{
|
||
break;
|
||
}
|
||
|
||
case APA_Done:
|
||
|
||
switch( ApResult.dwError )
|
||
{
|
||
case NO_ERROR:
|
||
|
||
//
|
||
// If authentication was successful
|
||
//
|
||
|
||
if ( CpTable[CpIndex].CpInfo.Protocol == PPP_EAP_PROTOCOL )
|
||
{
|
||
if ( fAuthenticator )
|
||
{
|
||
pPcb->dwServerEapTypeId = ApResult.dwEapTypeId;
|
||
}
|
||
else
|
||
{
|
||
VOID *pCredentials = NULL;
|
||
|
||
pPcb->dwClientEapTypeId = ApResult.dwEapTypeId;
|
||
|
||
//
|
||
// Call the eap dll to collect credentials here
|
||
// so that they can be passed to rasman to be
|
||
// saved in the cred manager.
|
||
//
|
||
if( (NO_ERROR == EapGetCredentials(pCpCb->pWorkBuf,
|
||
&pCredentials))
|
||
&& (NULL != pCredentials))
|
||
{
|
||
//
|
||
// Below call is not fatal.
|
||
//
|
||
(void) RasSetPortUserData(
|
||
pPcb->hPort,
|
||
PORT_CREDENTIALS_INDEX,
|
||
pCredentials,
|
||
sizeof(RASMAN_CREDENTIALS));
|
||
|
||
ZeroMemory(pCredentials,
|
||
sizeof(RASMAN_CREDENTIALS));
|
||
LocalFree(pCredentials);
|
||
}
|
||
}
|
||
}
|
||
|
||
if ( fAuthenticator )
|
||
{
|
||
RAS_AUTH_ATTRIBUTE * pAttribute;
|
||
RAS_AUTH_ATTRIBUTE * pUserAttributes = NULL;
|
||
|
||
if ( NULL != pPcb->pBcb->szRemoteIdentity )
|
||
{
|
||
LOCAL_FREE( pPcb->pBcb->szRemoteIdentity );
|
||
|
||
pPcb->pBcb->szRemoteIdentity = NULL;
|
||
}
|
||
|
||
pPcb->pBcb->szRemoteIdentity =
|
||
LOCAL_ALLOC( LPTR, strlen( ApResult.szUserName ) + 1 );
|
||
|
||
if ( NULL == pPcb->pBcb->szRemoteIdentity )
|
||
{
|
||
dwRetCode = GetLastError();
|
||
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, dwRetCode );
|
||
|
||
return;
|
||
}
|
||
|
||
strcpy( pPcb->pBcb->szRemoteIdentity, ApResult.szUserName );
|
||
|
||
dwRetCode = ExtractUsernameAndDomain(
|
||
ApResult.szUserName,
|
||
pPcb->pBcb->szRemoteUserName,
|
||
NULL );
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, dwRetCode );
|
||
|
||
return;
|
||
}
|
||
|
||
if ( 0 == pPcb->pBcb->szLocalUserName[0] )
|
||
{
|
||
if ( NO_ERROR != GetCredentialsFromInterface( pPcb ) )
|
||
{
|
||
pPcb->pBcb->szLocalUserName[0] =
|
||
pPcb->pBcb->szPassword[0] =
|
||
pPcb->pBcb->szLocalDomain[0] = 0;
|
||
}
|
||
}
|
||
|
||
if ( ApResult.pUserAttributes != NULL )
|
||
{
|
||
pPcb->pAuthProtocolAttributes = ApResult.pUserAttributes;
|
||
|
||
pUserAttributes = ApResult.pUserAttributes;
|
||
}
|
||
else
|
||
{
|
||
pUserAttributes = pPcb->pAuthenticatorAttributes;
|
||
}
|
||
|
||
//
|
||
// Set all the user connection parameters authorized by the
|
||
// back-end authenticator
|
||
//
|
||
|
||
dwRetCode = SetUserAuthorizedAttributes(
|
||
pPcb,
|
||
pUserAttributes,
|
||
fAuthenticator,
|
||
(BYTE*)&(ApResult.abChallenge),
|
||
(BYTE*)&(ApResult.abResponse));
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, dwRetCode );
|
||
|
||
return;
|
||
}
|
||
|
||
//
|
||
// If we are a server and we negotiated to be authenticated
|
||
// by the remote peer we can do so now that we know who
|
||
// is dialed in.
|
||
//
|
||
|
||
if ( ( pLcpCb->Remote.Work.AP != 0 ) &&
|
||
( pPcb->AuthenticateeCb.pWorkBuf == NULL ) &&
|
||
( pPcb->AuthenticateeCb.fConfigurable ) &&
|
||
( pPcb->fFlags & PCBFLAG_IS_SERVER ) )
|
||
{
|
||
CpIndex = GetCpIndexFromProtocol( pLcpCb->Remote.Work.AP );
|
||
|
||
PPP_ASSERT(( CpIndex != (DWORD)-1 ));
|
||
|
||
if ( !ApStart( pPcb, CpIndex, FALSE ) )
|
||
{
|
||
return;
|
||
}
|
||
}
|
||
}
|
||
else
|
||
{
|
||
//
|
||
// Get the username from the CP if it supplies one.
|
||
//
|
||
|
||
if ( ( strlen( pPcb->pBcb->szLocalUserName ) == 0 )
|
||
&& ( strlen( ApResult.szUserName ) > 0 ) )
|
||
{
|
||
strcpy( pPcb->pBcb->szLocalUserName, ApResult.szUserName );
|
||
}
|
||
|
||
dwRetCode = SetUserAuthorizedAttributes(
|
||
pPcb,
|
||
ApResult.pUserAttributes,
|
||
fAuthenticator,
|
||
(BYTE*)&(ApResult.abChallenge),
|
||
(BYTE*)&(ApResult.abResponse));
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, dwRetCode );
|
||
|
||
return;
|
||
}
|
||
|
||
pPcb->pAuthProtocolAttributes = ApResult.pUserAttributes;
|
||
}
|
||
|
||
pCpCb->State = FSM_OPENED;
|
||
|
||
FsmThisLayerUp( pPcb, CpIndex );
|
||
|
||
break;
|
||
|
||
case ERROR_PASSWD_EXPIRED:
|
||
|
||
if ( pPcb->fFlags & PCBFLAG_IS_SERVER )
|
||
{
|
||
//
|
||
// We are a server and hence in non-interactive mode and
|
||
// hence we cannot do this.
|
||
//
|
||
|
||
pPcb->LcpCb.dwError = ApResult.dwError;
|
||
|
||
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
|
||
|
||
return;
|
||
}
|
||
else
|
||
{
|
||
//
|
||
// Password has expired so the user has to change his/her
|
||
// password.
|
||
//
|
||
|
||
NotifyCaller( pPcb, PPPMSG_ChangePwRequest, NULL );
|
||
}
|
||
|
||
break;
|
||
|
||
default:
|
||
|
||
//
|
||
// If we can retry with a new password then tell the client to
|
||
// get a new one from the user.
|
||
//
|
||
|
||
if ( (!fAuthenticator) && ( ApResult.fRetry ))
|
||
{
|
||
if ( pPcb->fFlags & PCBFLAG_IS_SERVER )
|
||
{
|
||
//
|
||
// We are a server and hence in non-interactive mode and
|
||
// hence we cannot do this.
|
||
//
|
||
|
||
pPcb->LcpCb.dwError = ApResult.dwError;
|
||
|
||
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
|
||
|
||
return;
|
||
}
|
||
else
|
||
{
|
||
PppLog( 2, "Sending auth retry message to UI" );
|
||
|
||
NotifyCaller( pPcb, PPPMSG_AuthRetry, &(ApResult.dwError) );
|
||
}
|
||
}
|
||
else
|
||
{
|
||
PppLog( 1, "Auth Protocol %x terminated with error %d",
|
||
CpTable[CpIndex].CpInfo.Protocol, ApResult.dwError );
|
||
|
||
if ( ApResult.szUserName[0] != (CHAR)NULL )
|
||
{
|
||
strcpy( pPcb->pBcb->szRemoteUserName, ApResult.szUserName );
|
||
}
|
||
|
||
if ( !( pPcb->fFlags & PCBFLAG_IS_SERVER ) &&
|
||
( fAuthenticator) )
|
||
{
|
||
pPcb->LcpCb.dwError = RemoteError( ApResult.dwError );
|
||
}
|
||
else
|
||
{
|
||
pPcb->LcpCb.dwError = ApResult.dwError;
|
||
}
|
||
|
||
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
|
||
|
||
return;
|
||
}
|
||
|
||
break;
|
||
}
|
||
|
||
break;
|
||
|
||
case APA_Authenticate:
|
||
|
||
if ( fAuthenticator )
|
||
{
|
||
DWORD dwIndex = 0;
|
||
DWORD dwExtraAttributes = 0;
|
||
DWORD dwNumUserAttributes = 0;
|
||
RAS_AUTH_ATTRIBUTE * pUserAttributes = NULL;
|
||
|
||
for ( dwNumUserAttributes = 0;
|
||
pPcb->pUserAttributes[dwNumUserAttributes].raaType
|
||
!= raatMinimum;
|
||
dwNumUserAttributes++ );
|
||
|
||
if ( CpTable[CpIndex].CpInfo.Protocol == PPP_EAP_PROTOCOL )
|
||
{
|
||
//
|
||
// One more for Framed-MTU
|
||
//
|
||
|
||
dwExtraAttributes = 1;
|
||
}
|
||
|
||
pUserAttributes = RasAuthAttributeCopyWithAlloc(
|
||
ApResult.pUserAttributes,
|
||
dwNumUserAttributes + dwExtraAttributes );
|
||
|
||
if ( pUserAttributes == NULL )
|
||
{
|
||
dwRetCode = GetLastError();
|
||
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
|
||
|
||
return;
|
||
}
|
||
|
||
if ( dwExtraAttributes )
|
||
{
|
||
ULONG mru = (pLcpCb->Remote.Work.MRU > LCP_DEFAULT_MRU) ?
|
||
LCP_DEFAULT_MRU : pLcpCb->Remote.Work.MRU;
|
||
//
|
||
// Insert the Framed-MTU attribute at the start.
|
||
//
|
||
|
||
dwRetCode = RasAuthAttributeInsert(
|
||
0,
|
||
pUserAttributes,
|
||
raatFramedMTU,
|
||
FALSE,
|
||
4,
|
||
(LPVOID)
|
||
( UlongToPtr(mru)) );
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
RasAuthAttributeDestroy( pUserAttributes );
|
||
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
|
||
|
||
return;
|
||
}
|
||
}
|
||
|
||
//
|
||
// Insert the extra (user) attributes at the start. Attributes
|
||
// returned by the auth protocol follow.
|
||
//
|
||
|
||
for ( dwIndex = 0; dwIndex < dwNumUserAttributes; dwIndex++ )
|
||
{
|
||
dwRetCode = RasAuthAttributeInsert(
|
||
dwIndex + dwExtraAttributes,
|
||
pUserAttributes,
|
||
pPcb->pUserAttributes[dwIndex].raaType,
|
||
FALSE,
|
||
pPcb->pUserAttributes[dwIndex].dwLength,
|
||
pPcb->pUserAttributes[dwIndex].Value );
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
RasAuthAttributeDestroy( pUserAttributes );
|
||
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
|
||
|
||
return;
|
||
}
|
||
}
|
||
|
||
dwRetCode = RasAuthenticateClient( pPcb->hPort, pUserAttributes );
|
||
|
||
if ( dwRetCode != NO_ERROR )
|
||
{
|
||
pPcb->LcpCb.dwError = dwRetCode;
|
||
|
||
NotifyCallerOfFailure( pPcb, pPcb->LcpCb.dwError );
|
||
|
||
return;
|
||
}
|
||
}
|
||
|
||
break;
|
||
|
||
case APA_NoAction:
|
||
|
||
break;
|
||
|
||
default:
|
||
|
||
break;
|
||
}
|
||
|
||
//
|
||
// Check to see if we have to bring up the UI for EAP
|
||
//
|
||
|
||
if ( ( !fAuthenticator ) && ( ApResult.fInvokeEapUI ) )
|
||
{
|
||
NotifyCaller(pPcb, PPPMSG_InvokeEapUI, &(ApResult.InvokeEapUIData));
|
||
}
|
||
}
|