OLD | NEW |
---|---|
(Empty) | |
1 // Copyright (c) 2013 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 // windows.h must be first otherwise Win8 SDK breaks. | |
6 #include <windows.h> | |
7 #include <wincred.h> | |
8 #include <LM.h> | |
9 | |
10 // SECURITY_WIN32 must be defined in order to get | |
11 // EXTENDED_NAME_FORMAT enumeration. | |
12 #define SECURITY_WIN32 1 | |
13 #include <security.h> | |
14 #undef SECURITY_WIN32 | |
15 | |
16 #include "chrome/browser/password_manager/password_manager_util.h" | |
17 | |
18 #include "base/prefs/pref_registry_simple.h" | |
19 #include "base/prefs/pref_service.h" | |
20 #include "base/safe_numerics.h" | |
21 #include "base/strings/utf_string_conversions.h" | |
22 #include "base/time/time.h" | |
23 #include "chrome/browser/browser_process.h" | |
24 #include "chrome/browser/password_manager/password_manager.h" | |
25 #include "chrome/common/pref_names.h" | |
26 #include "content/public/browser/render_view_host.h" | |
27 #include "content/public/browser/render_widget_host_view.h" | |
28 #include "content/public/browser/web_contents.h" | |
29 #include "grit/chromium_strings.h" | |
30 #include "grit/generated_resources.h" | |
31 #include "ui/base/l10n/l10n_util.h" | |
32 | |
33 #if defined(USE_AURA) | |
34 #include "ui/aura/root_window.h" | |
35 #include "ui/aura/window.h" | |
36 #endif | |
37 | |
38 // static | |
39 void PasswordManager::RegisterLocalPrefs(PrefRegistrySimple* registry) { | |
40 registry->RegisterInt64Pref(prefs::kOsPasswordLastChanged, 0); | |
41 registry->RegisterBooleanPref(prefs::kOsPasswordBlank, false); | |
42 } | |
43 | |
44 namespace password_manager_util { | |
45 | |
46 const unsigned kMaxPasswordRetries = 3; | |
47 | |
48 const unsigned kCredUiDefaultFlags = | |
49 CREDUI_FLAGS_GENERIC_CREDENTIALS | | |
50 CREDUI_FLAGS_EXCLUDE_CERTIFICATES | | |
51 CREDUI_FLAGS_KEEP_USERNAME | | |
52 CREDUI_FLAGS_ALWAYS_SHOW_UI | | |
53 CREDUI_FLAGS_DO_NOT_PERSIST; | |
54 | |
55 static int64 GetPasswordLastChanged(WCHAR* username) { | |
56 LPUSER_INFO_1 user_info = NULL; | |
57 DWORD age = 0; | |
58 | |
59 NET_API_STATUS ret = NetUserGetInfo(NULL, username, 1, (LPBYTE*) &user_info); | |
60 | |
61 if (ret == NERR_Success) { | |
62 // Returns seconds since last password change. | |
63 age = user_info->usri1_password_age; | |
64 NetApiBufferFree(user_info); | |
65 } else { | |
66 return -1; | |
67 } | |
68 | |
69 base::Time changed = base::Time::Now() - base::TimeDelta::FromSeconds(age); | |
70 | |
71 return changed.ToInternalValue(); | |
72 } | |
73 | |
74 static bool CheckBlankPassword(WCHAR* username) { | |
75 PrefService* local_state = g_browser_process->local_state(); | |
76 int64 last_changed = GetPasswordLastChanged(username); | |
77 bool need_recheck = true; | |
78 bool blank_password = false; | |
79 | |
80 if (last_changed != -1 && | |
81 local_state->HasPrefPath(prefs::kOsPasswordBlank)) { | |
82 blank_password = local_state->GetBoolean(prefs::kOsPasswordBlank); | |
83 if (local_state->HasPrefPath(prefs::kOsPasswordLastChanged)) { | |
84 int64 pref_last_changed = | |
85 local_state->GetInt64(prefs::kOsPasswordLastChanged); | |
86 if (pref_last_changed > 0 && | |
87 last_changed <= pref_last_changed) { | |
88 need_recheck = false; | |
89 } | |
90 } | |
91 } | |
92 | |
93 if (need_recheck) { | |
94 HANDLE handle = INVALID_HANDLE_VALUE; | |
95 | |
96 // Attempt to login using blank password. | |
97 DWORD logon_result = LogonUser(username, | |
98 L".", | |
99 L"", | |
100 LOGON32_LOGON_NETWORK, | |
101 LOGON32_PROVIDER_DEFAULT, | |
102 &handle); | |
103 | |
104 // Win XP and later return ERROR_ACCOUNT_RESTRICTION for blank password. | |
105 if (logon_result) | |
106 CloseHandle(handle); | |
107 | |
108 // In the case the password is blank, then LogonUser returns a failure, | |
109 // handle is INVALID_HANDLE_VALUE, and GetLastError() is | |
110 // ERROR_ACCOUNT_RESTRICTION. | |
111 // http://msdn.microsoft.com/en-us/library/windows/desktop/ms681385 | |
112 blank_password = (logon_result || | |
113 GetLastError() == ERROR_ACCOUNT_RESTRICTION); | |
114 } | |
115 | |
cpu_(ooo_6.6-7.5)
2013/12/03 00:36:44
Beware that last_changed can be -1 when you reach
Will Harris
2013/12/03 21:16:57
Done.
| |
116 // Account for clock skew between pulling the password age and | |
117 // writing to the preferences by adding a small skew factor here. | |
118 last_changed += base::Time::kMicrosecondsPerSecond; | |
119 | |
120 // Save the blank password status for later. | |
121 local_state->SetBoolean(prefs::kOsPasswordBlank, blank_password); | |
122 local_state->SetInt64(prefs::kOsPasswordLastChanged, last_changed); | |
123 | |
124 return blank_password; | |
125 } | |
126 | |
127 bool AuthenticateUser(content::WebContents* web_contents) { | |
128 bool retval = false; | |
129 CREDUI_INFO cui = {}; | |
130 WCHAR username[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
131 WCHAR displayname[CREDUI_MAX_USERNAME_LENGTH+1] = {}; | |
132 WCHAR password[CREDUI_MAX_PASSWORD_LENGTH+1] = {}; | |
133 DWORD username_length = CREDUI_MAX_USERNAME_LENGTH; | |
134 std::wstring product_name = | |
135 UTF16ToWide(l10n_util::GetStringUTF16(IDS_PRODUCT_NAME)); | |
136 std::wstring password_prompt = | |
137 UTF16ToWide(l10n_util::GetStringUTF16( | |
138 IDS_PASSWORDS_PAGE_AUTHENTICATION_PROMPT)); | |
139 HANDLE handle = INVALID_HANDLE_VALUE; | |
140 int tries = 0; | |
141 bool use_displayname = false; | |
142 bool use_principalname = false; | |
143 DWORD logon_result = 0; | |
144 | |
145 // On a domain, we obtain the User Principal Name | |
146 // for domain authentication. | |
147 if (GetUserNameEx(NameUserPrincipal, username, &username_length)) { | |
148 use_principalname = true; | |
149 } else { | |
150 username_length = CREDUI_MAX_USERNAME_LENGTH; | |
151 // Otherwise, we're a workstation, use the plain local username. | |
152 if (!GetUserName(username, &username_length)) { | |
153 DLOG(ERROR) << "Unable to obtain username " << GetLastError(); | |
154 return false; | |
155 } else { | |
156 // As we are on a workstation, it's possible the user | |
157 // has no password, so check here. | |
158 if (CheckBlankPassword(username)) | |
159 return true; | |
160 } | |
161 } | |
162 | |
163 // Try and obtain a friendly display name. | |
164 username_length = CREDUI_MAX_USERNAME_LENGTH; | |
165 if (GetUserNameEx(NameDisplay, displayname, &username_length)) | |
166 use_displayname = true; | |
167 | |
168 cui.cbSize = sizeof(CREDUI_INFO); | |
169 cui.hwndParent = NULL; | |
170 | |
171 gfx::NativeView view = web_contents->GetRenderViewHost()-> | |
172 GetView()->GetNativeView(); | |
173 #if defined(USE_AURA) | |
174 cui.hwndParent = view->GetDispatcher()->host()->GetAcceleratedWidget(); | |
175 #else | |
176 cui.hwndParent = view; | |
177 #endif | |
178 | |
179 cui.pszMessageText = password_prompt.c_str(); | |
180 cui.pszCaptionText = product_name.c_str(); | |
181 | |
182 cui.hbmBanner = NULL; | |
183 BOOL save_password = FALSE; | |
184 DWORD credErr = NO_ERROR; | |
185 | |
186 do { | |
187 tries++; | |
188 | |
189 // TODO(wfh) Make sure we support smart cards here. | |
190 credErr = CredUIPromptForCredentials( | |
191 &cui, | |
192 product_name.c_str(), | |
193 NULL, | |
194 0, | |
195 use_displayname ? displayname : username, | |
196 CREDUI_MAX_USERNAME_LENGTH+1, | |
197 password, | |
198 CREDUI_MAX_PASSWORD_LENGTH+1, | |
199 &save_password, | |
200 kCredUiDefaultFlags | | |
201 (tries > 1 ? CREDUI_FLAGS_INCORRECT_PASSWORD : 0)); | |
202 | |
203 if (credErr == NO_ERROR) { | |
204 logon_result = LogonUser(username, | |
205 use_principalname ? NULL : L".", | |
206 password, | |
207 LOGON32_LOGON_NETWORK, | |
208 LOGON32_PROVIDER_DEFAULT, | |
209 &handle); | |
210 if (logon_result) { | |
211 retval = true; | |
212 CloseHandle(handle); | |
213 } else { | |
214 if (GetLastError() == ERROR_ACCOUNT_RESTRICTION && | |
215 wcslen(password) == 0) { | |
216 // Password is blank, so permit. | |
217 retval = true; | |
218 } else { | |
219 DLOG(WARNING) << "Unable to authenticate " << GetLastError(); | |
220 } | |
221 } | |
222 SecureZeroMemory(password, sizeof(password)); | |
223 } | |
224 } while (credErr == NO_ERROR && | |
225 (retval == false && tries < kMaxPasswordRetries)); | |
226 return retval; | |
227 } | |
228 | |
229 } // namespace password_manager_util | |
OLD | NEW |