able/windows-nt
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
windows-nt/Source/XPSP1/NT/net/ias/providers/ntuser/eap/eapsession.cpp
CryptoAlgo Inc b3cac27891 Add source files
2020-09-26 16:20:57 +08:00

719 lines
19 KiB
C++
Raw Blame History

///////////////////////////////////////////////////////////////////////////////
//
// Copyright (c) 1998, Microsoft Corp. All rights reserved.
//
// FILE
//
// EAPSession.cpp
//
// SYNOPSIS
//
// This file defines the class EAPSession.
//
// MODIFICATION HISTORY
//
// 01/15/1998 Original version.
// 06/02/1998 Pass NT4-Account-Name for the identity.
// 06/12/1998 Changed put_Response to SetResponse.
// 07/29/1998 Preserve all attributes added by pipeline.
// 08/27/1998 Use new EAPFSM class.
// 10/09/1998 Preserve order when saving profile attributes.
// 10/13/1998 Add maxPacketLength property.
// 10/24/1998 Account lockout support.
// 11/13/1998 Pass event log handle to RasEapBegin.
// 11/24/1998 Don't accept a Framed-MTU of less than 64 bytes.
// 02/03/1999 Change NP-Authentication-Type to 5.
// 02/13/1999 MPPE keys are returned as type 26.
// 05/04/1999 New error codes.
// 05/11/1999 Fix RADIUS encryption.
// 05/20/1999 Identity is now a Unicode string.
// 02/17/2000 Key encryption is now handled by the protocol.
//
///////////////////////////////////////////////////////////////////////////////
#include <ias.h>
#include <iaslsa.h>
#include <lockout.h>
#include <samutil.h>
#include <sdoias.h>
#include <eapdnary.h>
#include <eapsession.h>
#include <eapstate.h>
#include <eaptype.h>
// Default value for the Framed-MTU attribute.
const DWORD FRAMED_MTU_DEFAULT = 1500;
// Minimum allowed value for the Framed-MTU attribute.
const DWORD FRAMED_MTU_MIN = 64;
// The maximum length of the frame header. i.e. max(2,4).
// 2 for the PPP header and 4 for the 802.1X header.
// The length of the frame header plus the length
// of the EAP packet must be less than the Framed-MTU.
const DWORD FRAME_HEADER_LENGTH = 4;
// Absolute maximum length of an EAP packet. We bound this to limit worst-case
// memory consumption.
const DWORD MAX_MAX_PACKET_LENGTH = 2048;
//////////
// Inject a PPP_EAP_PACKET into a request.
//////////
VOID
WINAPI
InjectPacket(
IASRequest& request,
const PPP_EAP_PACKET& packet
)
{
// Get the raw buffer to be packed.
const BYTE* buf = (const BYTE*)&packet;
DWORD nbyte = IASExtractWORD(packet.Length);
IASTracePrintf("Inserting outbound EAP-Message of length %lu.", nbyte);
// Determine the maximum chunk size.
DWORD chunkSize;
switch (request.get_Protocol())
{
case IAS_PROTOCOL_RADIUS:
chunkSize = 253;
break;
default:
chunkSize = nbyte;
}
// Split the buffer into chunks.
while (nbyte)
{
// Compute how many bytes of the EAP-Message to store in this attribute.
DWORD length = min(nbyte, chunkSize);
// Initialize the attribute fields.
IASAttribute attr(true);
attr.setOctetString(length, buf);
attr->dwId = RADIUS_ATTRIBUTE_EAP_MESSAGE;
attr->dwFlags = IAS_INCLUDE_IN_RESPONSE;
// Inject the attribute into the request.
attr.store(request);
// Update our state.
nbyte -= length;
buf += length;
}
}
//////////
// Extracts the Vendor-Type field from a Microsoft VSA. Returns zero if the
// attribute is not a valid Microsoft VSA.
//////////
BYTE
WINAPI
ExtractMicrosoftVendorType(
const IASATTRIBUTE& attr
) throw ()
{
if (attr.dwId == RADIUS_ATTRIBUTE_VENDOR_SPECIFIC &&
attr.Value.itType == IASTYPE_OCTET_STRING &&
attr.Value.OctetString.dwLength > 6 &&
!memcmp(attr.Value.OctetString.lpValue, "\x00\x00\x01\x37", 4))
{
return *(attr.Value.OctetString.lpValue + 4);
}
return (BYTE)0;
}
//////////
// Inject an array of RAS attributes into a request.
//////////
VOID
WINAPI
InjectRASAttributes(
IASRequest& request,
const RAS_AUTH_ATTRIBUTE* rasAttrs,
DWORD flags
)
{
if (rasAttrs == NULL) { return; }
//////////
// Translate them to IAS format.
//////////
IASTraceString("Translating attributes returned by EAP DLL.");
IASAttributeVectorWithBuffer<8> iasAttrs;
EAPTranslator::translate(iasAttrs, rasAttrs);
//////////
// Iterate through the converted attributes to set the flags and remove any
// matching attributes from the request.
//////////
IASAttributeVector::iterator i;
for (i = iasAttrs.begin(); i != iasAttrs.end(); ++i)
{
IASTracePrintf("Inserting attribute %lu", i->pAttribute->dwId);
i->pAttribute->dwFlags = flags;
request.RemoveAttributesByType(1, &(i->pAttribute->dwId));
}
//////////
// Add them to the request.
//////////
iasAttrs.store(request);
}
//////////
// Performs NT-SAM PAP and MD5-CHAP authentication based on RAS attributes.
//////////
DWORD
WINAPI
AuthenticateUser(
IAS_STRING& account,
RAS_AUTH_ATTRIBUTE* pInAttributes
) throw ()
{
//////////
// Check the input parameters.
//////////
if (!pInAttributes) { return NO_ERROR; }
//////////
// Get the NT-SAM userName and domain.
//////////
PCWSTR userName, domain;
EXTRACT_SAM_IDENTITY(account, domain, userName);
//////////
// Find the credentials populated by the EAP DLL.
//////////
PRAS_AUTH_ATTRIBUTE rasUserPassword = NULL,
rasMD5CHAPPassword = NULL,
rasMD5CHAPChallenge = NULL;
for ( ; pInAttributes->raaType != raatMinimum; ++pInAttributes)
{
switch (pInAttributes->raaType)
{
case raatUserPassword:
rasUserPassword = pInAttributes;
break;
case raatMD5CHAPPassword:
rasMD5CHAPPassword = pInAttributes;
break;
case raatMD5CHAPChallenge:
rasMD5CHAPChallenge = pInAttributes;
break;
}
}
DWORD status = NO_ERROR;
// Is this MD5-CHAP?
if (rasMD5CHAPPassword && rasMD5CHAPChallenge)
{
_ASSERT(rasMD5CHAPPassword->dwLength == 17);
// The ID is the first byte of the password ...
BYTE challengeID = *(PBYTE)(rasMD5CHAPPassword->Value);
// ... and the password is the rest.
PBYTE chapPassword = (PBYTE)(rasMD5CHAPPassword->Value) + 1;
IASTracePrintf("Performing CHAP authentication for user %S\\%S.",
domain, userName);
HANDLE token;
status = IASLogonCHAP(
userName,
domain,
challengeID,
(PBYTE)(rasMD5CHAPChallenge->Value),
rasMD5CHAPChallenge->dwLength,
chapPassword,
&token
);
CloseHandle(token);
}
// Is this PAP?
else if (rasUserPassword)
{
// Convert to a null-terminated string.
IAS_OCTET_STRING octstr = { rasUserPassword->dwLength,
(PBYTE)rasUserPassword->Value };
PCSTR userPwd = IAS_OCT2ANSI(octstr);
IASTracePrintf("Performing PAP authentication for user %S\\%S.",
domain, userName);
HANDLE token;
status = IASLogonPAP(
userName,
domain,
userPwd,
&token
);
CloseHandle(token);
}
return status;
}
//////////
// Updates the AccountLockout database.
//////////
VOID
WINAPI
UpdateAcccountLockoutDB(
IAS_STRING& account,
DWORD authResult
) throw ()
{
// Get the NT-SAM userName and domain.
PCWSTR userName, domain;
EXTRACT_SAM_IDENTITY(account, domain, userName);
// Lookup the user in the lockout DB.
HANDLE hAccount;
AccountLockoutOpenAndQuery(userName, domain, &hAccount);
// Report the result.
if (authResult == NO_ERROR)
{
AccountLockoutUpdatePass(hAccount);
}
else
{
AccountLockoutUpdateFail(hAccount);
}
// Close the handle.
AccountLockoutClose(hAccount);
}
//////////
// Define the static members.
//////////
LONG EAPSession::theNextID = 0;
LONG EAPSession::theRefCount = 0;
IASAttribute EAPSession::theNormalTimeout;
IASAttribute EAPSession::theInteractiveTimeout;
HANDLE EAPSession::theIASEventLog;
HANDLE EAPSession::theRASEventLog;
EAPSession::EAPSession(const IASAttribute& accountName, const EAPType& eapType)
: id((DWORD)InterlockedIncrement(&theNextID)),
type(eapType),
account(accountName),
state(EAPState::createAttribute(id), false),
fsm((BYTE)eapType.dwEapTypeId),
maxPacketLength(FRAMED_MTU_DEFAULT - FRAME_HEADER_LENGTH),
workBuffer(NULL),
sendPacket(NULL)
{ }
EAPSession::~EAPSession() throw ()
{
delete[] sendPacket;
if (workBuffer) { type.RasEapEnd(workBuffer); }
}
IASREQUESTSTATUS EAPSession::begin(
IASRequest& request,
PPPP_EAP_PACKET recvPacket
)
{
//////////
// Get all the attributes from the request.
//////////
USES_IAS_STACK_VECTOR();
IASAttributeVectorOnStack(all, request, 0);
all.load(request, 0, NULL);
//////////
// Scan for the Framed-MTU attribute and compute the profile size.
//////////
DWORD profileSize = 0;
IASAttributeVector::iterator i;
for (i = all.begin(); i != all.end(); ++i)
{
if (i->pAttribute->dwId == RADIUS_ATTRIBUTE_FRAMED_MTU)
{
DWORD framedMTU = i->pAttribute->Value.Integer;
// Only process valid values.
if (framedMTU >= FRAMED_MTU_MIN)
{
// Leave room for the frame header.
maxPacketLength = framedMTU - FRAME_HEADER_LENGTH;
// Make sure we're within bounds.
if (maxPacketLength > MAX_MAX_PACKET_LENGTH)
{
maxPacketLength = MAX_MAX_PACKET_LENGTH;
}
}
IASTracePrintf("Setting max. packet length to %lu.", maxPacketLength);
}
if (!(i->pAttribute->dwFlags & IAS_RECVD_FROM_PROTOCOL))
{
++profileSize;
}
}
//////////
// Save and remove the profile attributes.
//////////
profile.reserve(profileSize);
for (i = all.begin(); i != all.end(); ++i)
{
if (!(i->pAttribute->dwFlags & IAS_RECVD_FROM_PROTOCOL))
{
profile.push_back(*i);
}
}
profile.remove(request);
//////////
// Convert the attributes received from the client to RAS format.
//////////
PRAS_AUTH_ATTRIBUTE ras = IAS_STACK_NEW(RAS_AUTH_ATTRIBUTE, all.size() + 1);
EAPTranslator::translate(ras, all, IAS_RECVD_FROM_CLIENT);
//////////
// Initialize the EAPInput struct.
//////////
EAPInput eapInput;
eapInput.fAuthenticator = TRUE;
eapInput.pUserAttributes = ras;
eapInput.bInitialId = recvPacket->Id + (BYTE)1;
eapInput.pwszIdentity = account->Value.String.pszWide;
switch (request.get_Protocol())
{
case IAS_PROTOCOL_RADIUS:
eapInput.hReserved = theIASEventLog;
break;
case IAS_PROTOCOL_RAS:
eapInput.hReserved = theRASEventLog;
break;
}
//////////
// Begin the session with the EAP DLL.
//////////
DWORD error = type.RasEapBegin(&workBuffer, &eapInput);
if (error != NO_ERROR)
{
IASTraceFailure("RasEapBegin", error);
request.SetResponse(IAS_RESPONSE_DISCARD_PACKET, IAS_INTERNAL_ERROR);
return IAS_REQUEST_STATUS_ABORT;
}
//////////
// We have successfully established the session, so process the message.
//////////
return process(request, recvPacket);
}
IASREQUESTSTATUS EAPSession::process(
IASRequest& request,
PPPP_EAP_PACKET recvPacket
)
{
// Trigger an event on the FSM.
switch (fsm.onReceiveEvent(*recvPacket))
{
case EAPFSM::MAKE_MESSAGE:
break;
case EAPFSM::REPLAY_LAST:
IASTraceString("EAP-Message appears to be a retransmission. "
"Replaying last action.");
return doAction(request);
case EAPFSM::FAIL_NEGOTIATE:
IASTraceString("EAP negotiation failed. Rejecting user.");
request.SetResponse(IAS_RESPONSE_ACCESS_REJECT,
IAS_UNSUPPORTED_AUTH_TYPE);
return IAS_REQUEST_STATUS_HANDLED;
case EAPFSM::DISCARD:
IASTraceString("EAP-Message is unexpected. Discarding packet.");
request.SetResponse(IAS_RESPONSE_DISCARD_PACKET,
IAS_UNEXPECTED_REQUEST);
return IAS_REQUEST_STATUS_ABORT;
}
// Allocate a temporary packet to hold the response.
PPPP_EAP_PACKET tmpPacket = (PPPP_EAP_PACKET)_alloca(maxPacketLength);
// Clear the previous output from the DLL.
eapOutput.clear();
DWORD error;
error = type.RasEapMakeMessage(
workBuffer,
recvPacket,
tmpPacket,
maxPacketLength,
&eapOutput,
NULL
);
if (error != NO_ERROR)
{
IASTraceFailure("RasEapMakeMessage", error);
request.SetResponse(IAS_RESPONSE_DISCARD_PACKET, IAS_INTERNAL_ERROR);
return IAS_REQUEST_STATUS_ABORT;
}
while (eapOutput.Action == EAPACTION_Authenticate)
{
IASTraceString("EAP DLL invoked default authenticator.");
// Authenticate the user.
DWORD authResult = AuthenticateUser(
account->Value.String,
eapOutput.pUserAttributes
);
//////////
// Convert the profile to RAS format.
//////////
DWORD filter;
if (authResult == NO_ERROR)
{
IASTraceString("Default authentication succeeded.");
filter = IAS_INCLUDE_IN_ACCEPT;
}
else
{
IASTraceFailure("Default authentication", authResult);
filter = IAS_INCLUDE_IN_REJECT;
}
PRAS_AUTH_ATTRIBUTE ras = IAS_STACK_NEW(RAS_AUTH_ATTRIBUTE,
profile.size() + 1);
EAPTranslator::translate(ras, profile, filter);
//////////
// Give the result to the EAP DLL.
//////////
EAPInput authInput;
authInput.dwAuthResultCode = authResult;
authInput.fAuthenticationComplete = TRUE;
authInput.pUserAttributes = ras;
eapOutput.clear();
error = type.RasEapMakeMessage(
workBuffer,
NULL,
tmpPacket,
maxPacketLength,
&eapOutput,
&authInput
);
if (error != NO_ERROR)
{
IASTraceFailure("RasEapMakeMessage", error);
request.SetResponse(IAS_RESPONSE_DISCARD_PACKET, IAS_INTERNAL_ERROR);
return IAS_REQUEST_STATUS_ABORT;
}
}
//////////
// Trigger an event on the FSM.
//////////
fsm.onDllEvent(eapOutput.Action, *tmpPacket);
// Clear the old send packet ...
delete[] sendPacket;
sendPacket = NULL;
// ... and save the new one if available.
switch (eapOutput.Action)
{
case EAPACTION_SendAndDone:
case EAPACTION_Send:
case EAPACTION_SendWithTimeout:
case EAPACTION_SendWithTimeoutInteractive:
{
size_t length = IASExtractWORD(tmpPacket->Length);
sendPacket = (PPPP_EAP_PACKET)new BYTE[length];
memcpy(sendPacket, tmpPacket, length);
}
}
//////////
// Perform the requested action.
//////////
return doAction(request);
}
IASREQUESTSTATUS EAPSession::doAction(IASRequest& request)
{
IASTraceString("Processing output from EAP DLL.");
switch (eapOutput.Action)
{
case EAPACTION_SendAndDone:
{
InjectPacket(request, *sendPacket);
}
case EAPACTION_Done:
{
// Update the account lockout database.
UpdateAcccountLockoutDB(
account->Value.String,
eapOutput.dwAuthResultCode
);
// Add the profile first, so that the EAP DLL can override it.
profile.store(request);
DWORD flags = eapOutput.dwAuthResultCode ? IAS_INCLUDE_IN_REJECT
: IAS_INCLUDE_IN_ACCEPT;
InjectRASAttributes(request, eapOutput.pUserAttributes, flags);
if (eapOutput.dwAuthResultCode == NO_ERROR)
{
IASTraceString("EAP authentication succeeded.");
type.getFriendlyName().store(request);
request.SetResponse(IAS_RESPONSE_ACCESS_ACCEPT, S_OK);
}
else
{
IASTraceFailure("EAP authentication", eapOutput.dwAuthResultCode);
HRESULT hr = IASMapWin32Error(eapOutput.dwAuthResultCode,
IAS_AUTH_FAILURE);
request.SetResponse(IAS_RESPONSE_ACCESS_REJECT, hr);
}
return IAS_REQUEST_STATUS_HANDLED;
}
case EAPACTION_SendWithTimeoutInteractive:
case EAPACTION_SendWithTimeout:
{
if (eapOutput.Action == EAPACTION_SendWithTimeoutInteractive)
{
theInteractiveTimeout.store(request);
}
else
{
theNormalTimeout.store(request);
}
}
case EAPACTION_Send:
{
InjectRASAttributes(request,
eapOutput.pUserAttributes,
IAS_INCLUDE_IN_CHALLENGE);
InjectPacket(request, *sendPacket);
state.store(request);
IASTraceString("Issuing Access-Challenge.");
request.SetResponse(IAS_RESPONSE_ACCESS_CHALLENGE, S_OK);
break;
}
case EAPACTION_NoAction:
default:
{
IASTraceString("EAP DLL returned No Action. Discarding packet.");
request.SetResponse(IAS_RESPONSE_DISCARD_PACKET, IAS_INTERNAL_ERROR);
}
}
return IAS_REQUEST_STATUS_ABORT;
}
HRESULT EAPSession::initialize() throw ()
{
std::_Lockit _Lk;
if (theRefCount == 0)
{
PIASATTRIBUTE attrs[2];
DWORD dw = IASAttributeAlloc(2, attrs);
if (dw != NO_ERROR) { return HRESULT_FROM_WIN32(dw); }
theNormalTimeout.attach(attrs[0], false);
theNormalTimeout->dwId = RADIUS_ATTRIBUTE_SESSION_TIMEOUT;
theNormalTimeout->Value.itType = IASTYPE_INTEGER;
theNormalTimeout->Value.Integer = 6;
theNormalTimeout.setFlag(IAS_INCLUDE_IN_CHALLENGE);
theInteractiveTimeout.attach(attrs[1], false);
theInteractiveTimeout->dwId = RADIUS_ATTRIBUTE_SESSION_TIMEOUT;
theInteractiveTimeout->Value.itType = IASTYPE_INTEGER;
theInteractiveTimeout->Value.Integer = 30;
theInteractiveTimeout.setFlag(IAS_INCLUDE_IN_CHALLENGE);
theIASEventLog = RegisterEventSourceW(NULL, L"IAS");
theRASEventLog = RegisterEventSourceW(NULL, L"RemoteAccess");
}
++theRefCount;
return S_OK;
}
void EAPSession::finalize() throw ()
{
std::_Lockit _Lk;
if (--theRefCount == 0)
{
DeregisterEventSource(theRASEventLog);
DeregisterEventSource(theIASEventLog);
theInteractiveTimeout.release();
theNormalTimeout.release();
}
}
Reference in a new issue View git blame Copy permalink