OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include <Ntsecapi.h> | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
it seems we don't capitalize the files that we #in
Will Harris
2013/10/23 14:57:18
Done.
| |
6 #include <WinCred.h> | |
7 #include <Windows.h> | |
8 | |
9 // SECURITY_WIN32 must be defined in order to get | |
10 // EXTENDED_NAME_FORMAT enumeration. | |
11 #define SECURITY_WIN32 1 | |
12 | |
13 #define PASSWORD_MANAGER_MAX_PASSWORD_TRIES 3 | |
14 | |
15 #include <Security.h> | |
16 | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
possibly undefine SECURITY_WIN32 here?
Will Harris
2013/10/23 14:57:18
Done.
| |
17 #include "base/strings/utf_string_conversions.h" | |
18 #include "grit/chromium_strings.h" | |
19 #include "ui/base/l10n/l10n_util.h" | |
20 | |
21 namespace password_manager_util { | |
22 | |
23 bool AuthenticateUser() { | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
can you point me to the caller of this function?
Will Harris
2013/10/23 14:57:18
in CL 28713002 filename password_manager_handler.c
| |
24 bool retval = false; | |
25 CREDUI_INFO cui = {}; | |
26 WCHAR pszUserName[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
27 WCHAR pszDisplayName[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
28 WCHAR pszPwd[CREDUI_MAX_PASSWORD_LENGTH+1] = {}; | |
29 DWORD usernameLen = CREDUI_MAX_USERNAME_LENGTH; | |
30 std::wstring product_name = | |
31 UTF16ToWide(l10n_util::GetStringUTF16(IDS_PRODUCT_NAME)); | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
indenting is off.
Will Harris
2013/10/23 14:57:18
Done.
| |
32 std::wstring password_prompt = | |
33 UTF16ToWide(l10n_util::GetStringUTF16( | |
34 IDS_PASSWORDS_PAGE_AUTHENTICATION_PROMPT)); | |
35 HANDLE hToken = INVALID_HANDLE_VALUE; | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
here and elsewhere, do not name variables Microsof
Will Harris
2013/10/23 14:57:18
Done.
| |
36 int tries = 0; | |
37 bool useDisplayName = false; | |
38 bool useUpnName = false; | |
39 DWORD logonErr = 0; | |
40 | |
41 // On a domain, we obtain the User Principle Name | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
/s/Principal
Will Harris
2013/10/23 14:57:18
Done.
| |
42 // for domain authentication. | |
43 if (GetUserNameEx(NameUserPrincipal, pszUserName, &usernameLen)) { | |
44 useUpnName = true; | |
45 } else { | |
46 usernameLen = CREDUI_MAX_USERNAME_LENGTH; | |
47 // Otherwise, we're a workstation, use the plain local username. | |
48 if (!GetUserName(pszUserName, &usernameLen)) { | |
49 DLOG(ERROR) << "Unable to obtain username " << GetLastError(); | |
50 return false; | |
51 } else { | |
52 // as we are on a workstation, it's possible the user | |
53 // has no password, so check here | |
54 logonErr = LogonUser(pszUserName, | |
55 L".", | |
56 L"", | |
57 LOGON32_LOGON_INTERACTIVE, | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
see my comment of line 114
Will Harris
2013/10/23 14:57:18
Done.
| |
58 LOGON32_PROVIDER_DEFAULT, | |
59 &hToken); | |
60 // ERROR_ACCOUNT_RESTRICTION means the password is blank | |
61 // and Windows XP and above return ERROR_ACCOUNT_RESTRICTION | |
62 // see http://support.microsoft.com/kb/303846 | |
63 if (logonErr || GetLastError() == ERROR_ACCOUNT_RESTRICTION) { | |
64 SecureZeroMemory(pszUserName, sizeof(pszUserName)); | |
65 CloseHandle(hToken); | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
My reading indicates that you are closing INVALID_
Will Harris
2013/10/23 14:57:18
Done.
| |
66 return true; | |
67 } | |
68 } | |
69 } | |
70 | |
71 // Try and obtain a friendly display name. | |
72 usernameLen = CREDUI_MAX_USERNAME_LENGTH; | |
73 if (GetUserNameEx(NameDisplay, pszDisplayName, &usernameLen)) { | |
74 useDisplayName = true; | |
75 } | |
76 | |
77 cui.cbSize = sizeof(CREDUI_INFO); | |
78 cui.hwndParent = NULL; | |
79 cui.pszMessageText = password_prompt.c_str(); | |
80 cui.pszCaptionText = product_name.c_str(); | |
81 | |
82 cui.hbmBanner = NULL; | |
83 BOOL fSave = FALSE; | |
84 DWORD credErr = NO_ERROR; | |
85 | |
86 do { | |
87 SecureZeroMemory(pszPwd, sizeof(pszPwd)); | |
88 tries++; | |
89 | |
90 // TODO(wfh) make sure we support smart cards here | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
here and elsewhere, make sure comments end with a
Will Harris
2013/10/23 14:57:18
Done.
| |
91 credErr = CredUIPromptForCredentials( | |
92 &cui, | |
93 product_name.c_str(), | |
94 NULL, | |
95 0, | |
96 useDisplayName ? pszDisplayName : pszUserName, | |
97 CREDUI_MAX_USERNAME_LENGTH+1, | |
98 pszPwd, | |
99 CREDUI_MAX_PASSWORD_LENGTH+1, | |
100 &fSave, | |
101 CREDUI_FLAGS_GENERIC_CREDENTIALS | | |
102 CREDUI_FLAGS_EXCLUDE_CERTIFICATES | | |
103 CREDUI_FLAGS_KEEP_USERNAME | | |
104 CREDUI_FLAGS_ALWAYS_SHOW_UI | | |
105 CREDUI_FLAGS_DO_NOT_PERSIST | | |
106 (tries > 1 ? CREDUI_FLAGS_INCORRECT_PASSWORD : 0)); | |
107 | |
108 if (credErr == NO_ERROR) { | |
109 usernameLen = CREDUI_MAX_USERNAME_LENGTH; | |
110 | |
111 logonErr = LogonUser(pszUserName, | |
112 useUpnName ? NULL : L".", | |
113 pszPwd, | |
114 LOGON32_LOGON_INTERACTIVE, | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
this is the expensive one, try using the cheap one
Will Harris
2013/10/23 14:57:18
changed to LOGON32_LOGON_NETWORK
| |
115 LOGON32_PROVIDER_DEFAULT, | |
116 &hToken); | |
117 if (logonErr) { | |
118 retval = true; | |
119 CloseHandle(hToken); | |
120 } else { | |
121 if ( GetLastError() == ERROR_ACCOUNT_RESTRICTION && | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
No spaces between ( and the following expression.
Will Harris
2013/10/23 14:57:18
Done.
| |
122 wcslen(pszPwd) == 0 ) { | |
123 // Password is blank, so permit. | |
124 retval = true; | |
125 } else { | |
126 DLOG(WARNING) << "Unable to authenticate " << GetLastError(); | |
127 } | |
128 } | |
129 } | |
130 } while (credErr == NO_ERROR && | |
131 (retval == false && tries < PASSWORD_MANAGER_MAX_PASSWORD_TRIES)); | |
cpu_(ooo_6.6-7.5)
2013/10/22 21:10:06
I don't agree with this loop of tries, I think it
Will Harris
2013/10/23 14:57:18
as discussed, this is okay because the user can br
| |
132 | |
133 SecureZeroMemory(pszDisplayName, sizeof(pszDisplayName)); | |
134 SecureZeroMemory(pszUserName, sizeof(pszUserName)); | |
135 SecureZeroMemory(pszPwd, sizeof(pszPwd)); | |
136 | |
137 return retval; | |
138 } | |
139 | |
140 } // namespace password_manager_util | |
OLD | NEW |